Routing

Expand all | Collapse all

DNS name-server in a routing instance

  • 1.  DNS name-server in a routing instance

    Posted 01-29-2021 18:28
    Is there a way to specify a name-server within a virtual-router routing instance and source it from said routing instance. When I try to commit this type of configuration I get an error stating "mgmt_junos instance can only be configured with DNS".  If this is the case is there a workaround, such as DNS proxy?

    My requirement is to provide DNS for my LAN routing instance that has connectivity to the internet and the source address is in this routing instance.

    Example:
    set system name-server 8.8.8.8 routing-instance LAN-HANDOFF
    error: routing-instance: 'LAN-HANDOFF': Only routing-instance supported is mgmt_junos


  • 2.  RE: DNS name-server in a routing instance

    Posted 01-30-2021 09:23
    I also tried all traffic coming from the specified interface and matched clients to forward DNS queries, using DNS proxy:

    set system services dns dns-proxy interface ge-0/0/2.0
    set system services dns dns-proxy view INET match-clients 172.20.1.0/24
    set system services dns dns-proxy view INET domain * forwarders 8.8.8.8
    set system services dns dns-proxy view INET domain * forwarders 8.4.4.4

    ge-0/0/2.0 and 172.20.1.0/24 belong in the LAN-HANDOFF routing-instance and they have a route to 8.8.8.8:

    ping routing-instance LAN-HANDOFF 8.8.8.8 source 172.20.1.1
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=12.211 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=12.343 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=12.468 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 12.211/12.341/12.468/0.105 ms

    However, DNS is not working:

    ping routing-instance LAN-HANDOFF inet www.google.co.uk source 172.20.1.1
    ping: cannot resolve www.google.co.uk: Host name lookup failure

    Is DNS proxy supported in routing-instances?


  • 3.  RE: DNS name-server in a routing instance

     
    Posted 01-30-2021 12:05
    As you note it looks like only the default routing instance or a management routing instance can be the source interface for srx dns self traffic.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dns-system-management.html

    I don't think using a management instance will work your your normal transit traffic setup.

    So another option would be to create a connection from the default routing instance into this LAN-HANDOFF instance for the dns server reachability.  This could be using logical tunnels between the instances or leaking the necessary routes via rib groups.  Naturally you also have to be careful not to create an undesired routing path as you likely created the virtual router separation for a reason.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: DNS name-server in a routing instance

    Posted 28 days ago
    Thanks Steve, I have followed the latter suggestion and this worked leaking the routes.

    One very odd thing I have noticed though is that the DNS traffic is being automatically sourced from a configured loopback interface and not the ge-0/0/2.0 in the dns proxy config.

    I have even tried a ping to google.com from a source IP address within 172.20.1.0/24 and in the security flow session output, it shows the source address as the loopback! This is only the case for DNS and if I ping the IP address of google.com instead of the url it works and is sourced from 172.20.1.0/24.

    ping inet www.google.com source 172.20.1.1
    ^C
    In: 10.143.16.5/62046 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,
    Out: 8.8.8.8/53 --> 10.143.16.5/62046;udp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 0, Bytes: 0,
    Total sessions: 1

    If I delete the loopback interface temporarily everything works as intended and traffic is sourced from the correct interface.

    Any idea why this behavior is happening and how I can stop traffic being sourced by the loopback? I need to keep the loopback for management access.
    After removal of lo0:

    ping inet www.google.com source 172.20.1.1
    64 bytes from 216.58.204.68: icmp_seq=0 ttl=115 time=17.296 ms
    64 bytes from 216.58.204.68: icmp_seq=1 ttl=115 time=18.897 ms
    64 bytes from 216.58.204.68: icmp_seq=2 ttl=115 time=17.883 ms
    ^C
    In: 172.20.1.1/57245 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,
    Out: 8.8.8.8/53 --> 196.72.120.5/7052;udp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 1, Bytes: 76,



  • 5.  RE: DNS name-server in a routing instance

     
    Posted 27 days ago
    I don't see a way to set the source address for dns as you can for some other service functions.

    Perhaps you could use an irb interface instead of the loopback to host the mgmt address for remote access instead.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------