SRX

Expand all | Collapse all

Allow DNS 'from' SRX outbound when management firewall filter applied

Jump to Best Answer
  • 1.  Allow DNS 'from' SRX outbound when management firewall filter applied

    Posted 06-11-2020 02:09

    I have a firewall filter applied to my loopback to lock down management traffic to the SRX. This works fine with no issues. I need to allow outbound DNS requests 'from' the firewall (the firewall is doing name resolution)  I have seen previously you can do similar things with TCP traffic (ssh) where you use the tcp-established option to allow being able initiate to initiate ssh connections from the SRX to another device. I want to do the same thing for DNS requests (udp 53) How would I achieve the same thing? I want to have the policy as generic as possible so It can be rolled out to other devices so I don't want to specifiy the source IP (the loopback)

     

    Any tips appreciated. 



  • 2.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

     
    Posted 06-11-2020 02:25

    Hello , 

     

    Normally the Loopback filter to lockdown management access works in "Input filter" and should not impact any traffic generated from the firewall to outside . Since DNS is generated from Firewall to outside , it will only check for any output filter on loopback/external  interface . So this management filter should not cause any impact for DNS originated from the device . 

    If you are worried about the return packet from DNS server to the SRX , probebaly you can add a filter term  to allow UDP 53 . 



  • 3.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

    Posted 06-11-2020 02:39

    Hi Sam

     

    Thanks for clarifying, ye that makes sense. It defintely doesn't work with the filter applied but that's probably the return traffic being blocked like you say (mgmgt filters not stateful)  The problem that I have is that if I allow it on the management filter then if anybody ever set the firewall was a DNS proxy then it would allow name resolution requests from the internet. That's why I'm hesitant to do that?

     

    Thanks



  • 4.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

     
    Posted 06-11-2020 03:01

    Hello , 

     

    Understood . Other option which I can think of,  is to have a source specificed for the name-server in SRX and allow that IP on the filter . So that the DNS proxy will be taking the loopback , and any host generated DNS will take the source IP mentioned .

     

    set system name-server 8.8.8.8 source-address <ip.addr> 

     

     

     

     



  • 5.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

    Posted 06-11-2020 03:05

    Yes that's an option also. I've been thinking about it and I might allow 'from' the specific DNS server IPs e.g. Cloudflare, that way it will only be allowing the return traffic from those name servers and then the filter will still be generic because the name server will be the same across all firewalls. Thanks for all your help and suggestions.



  • 6.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied
    Best Answer

     
    Posted 06-11-2020 03:10

    Hello , 

     

    Thanks , If this helps , please make sure to post the results and make as solved for furture references . 



  • 7.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

    Posted 06-11-2020 06:37

    set firewall filter mgmt-plane term DNS from source-prefix-list DNS-SERVERS
    set firewall filter mgmt-plane term DNS from protocol tcp
    set firewall filter mgmt-plane term DNS from protocol udp
    set firewall filter mgmt-plane term DNS from port domain
    set firewall filter mgmt-plane term DNS then accept



  • 8.  RE: Allow DNS 'from' SRX outbound when management firewall filter applied

     
    Posted 06-11-2020 02:38

    Hello , 

     

    You can use something like :

     

    set firewall filter Protect-RE term DNS from protocol udp
    set firewall filter Protect-RE term DNS from source-port 53
    set firewall filter Protect-RE term DNS then accept
    set firewall filter Protect-RE term DNS-1 from protocol udp
    set firewall filter Protect-RE term DNS-1 from destination-port 53
    set firewall filter Protect-RE term DNS-1 then accept