SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Juniper DNS resolution and S3 bucket dynamic IP

    Posted 02-04-2022 10:19
    Hello,

    I setup the DNS-PROXY on the juniper in order to have the same resolution of my S3 bucket IP on my firewall/client, this is working well.. as the TTL of this domain for example: s3.us-east-1.amazonaws.com is 7seconds it was necessary to make sure client/firewall resolve the same IP at the same time.

    But i'm facing a big problem with policy that dosen't match the destination IP (s3). if i run this command:

    > show security policies policy-name mypolicy detail
    ....
    Destination addresses:
    s3: 52.217.68.118/32
    ...

    The IP show here is updated every 20seconds, while the TTL is much lower and if i try to ping this domain from my juniper i see the IP changing every x seconds.

    So why the policy update every 20 seconds and not when the DNS resolution catch a new IP.

    What is the purpose of that? how can i make sure the policy update the destination IP when dns cache expire and not after 20seconds?

    There is no indicator anywhere that is saying it must update the policy destination address after 20 seconds, i just count.. 

    Thanks you,

    ------------------------------
    Oliver Duruiss
    ------------------------------


  • 2.  RE: Juniper DNS resolution and S3 bucket dynamic IP

     
    Posted 11 days ago
    My rather inelegant solution is to run a script on a local server that maintains a list of every ip address seen for amazon, salesforce, google, etc, and manually update my firewalls when a new address for any of these services is detected.   Supposedly there is a way to automate the updates, but i haven't found it/implemented it

    ------------------------------
    Theodore
    ------------------------------



  • 3.  RE: Juniper DNS resolution and S3 bucket dynamic IP

    Posted 10 days ago

    The automated update Theodore is looking for is "dynamic-feeds":

    [edit security dynamic-address]
    set security dynamic-address feed-server <server-name> url http://<server:port>/<folder-or-file-path>
    set security dynamic-address feed-server <server-name> update-interval <seconds>
    set security dynamic-address feed-server <server-name> hold-interval <seconds>
    set security dynamic-address feed-server <server-name> feed-name <name-of-feed> path <Path of feed, appended to feed-server to form a complete URL>
    set security dynamic-address address-name <name-of-address> profile feed-name <Name of feed in feed-server for this dynamic address>

    Use "show security dynamic-address" to lists the feeds and use <name-of-address> in the security policies.

    There are some examples here:

    https://www.reddit.com/r/Juniper/comments/i2t97y/srx_loading_custom_dynamiciplists_from_your_own/
    https://github.com/nchekwa/cloud-iprange-feeder

    --
    Thor



    ------------------------------
    THOR-HENRIK KVANDAHL
    ------------------------------



  • 4.  RE: Juniper DNS resolution and S3 bucket dynamic IP

     
    Posted 10 days ago

    Thanks, I found the same config settings separately...i could have been lazy and saved 1/2 hour...


    before 19.3R1 it says i have to sort them.  but no-where does it say how.  i presume by position, not by number.number.number.number which would mean that 1.2.3.4 would come before 1.11.22.33.   Do you know if this is accurate, and if not, will it crash junos or simply reject the update?



    ------------------------------
    Theodore
    ------------------------------



  • 5.  RE: Juniper DNS resolution and S3 bucket dynamic IP

     
    Posted 10 days ago
    Also, you have to remember that if this inbound traffic, you control the DNS and can update the address books as required.   If this is for outbound traffic, you need to know what address is being returned to each client because enough large companies now use anycast dns, i.e. they're using bgp to feed dns resolvers based on their locations.  In my case i have two sites in different state and my script that create the ip address lists queries a dns server in each state just to cover the eventuality where www.example.com is 1.2.3.4 from atlanta and 1.2.3.5 from elsewhere.   My script feeds both addresses to both firewalls just in case.

    ------------------------------
    Theodore
    ------------------------------