Blog Viewer

SRX/CloudATP Multi-Tenant DNS Filtering

By Karel Hendrych posted 27 days ago

  

SRX/CloudATP Multi-Tenant DNS Filtering

Describes the ability of the Juniper SRX, in conjunction with the CloudATP service, to enforce DNS query blocking through an API-driven, multi-tenant approach. Each tenant has its own virtual router, ingress zone, dedicated API token, and independent visibility for granular control and operational separation.

Introduction

Lately, security intelligence services on perimeter firewalls that categorize threat levels for IP addresses and URLs have become a common basic measure to prevent access to known malicious destinations. Companies are also utilizing their own threat intelligence data to enhance vendor and third-party feeds. In certain situations, multi-tenancy with custom threat intelligence on the same physical or virtual firewall may be required. This includes separation from the perspective of the API used to modify the lists of DNS queries to block or sinkhole, as well as ensuring corresponding visibility regarding the actions taken. For example, this could apply to an IoT security use case.

In more detail, the following text explains the ability of CloudATP-enabled SRX devices to filter DNS queries by using per-tenant security intelligence feeds. This is achieved by assigning the SRX device to a CloudATP realm, mapping individual routing instances to API-enabled subordinate realms, and enabling granular DNS query control.

This feature set is available on premium-tier licensed SRX devices because of the use of the CloudATP API. However, an easy way to try it out is by using vSRX with a security subscription Trial license available for registered customers and partners. Alternatively, licenses can be obtained through Juniper sales representatives.

Topology

Let’s consider the following topology. The base configuration of the SRX is detailed in Appendix 1, while the expansion through Secintel settings will be addressed in the upcoming sections. Two tenants—designated as green-colored T1 and blue-colored T2—each have their own virtual router instance linked to the corresponding zone (T1 or T2) via an interface. The default gateway is imported from the VR-COMMON routing instance, which has an interface assigned to the common source NAT-enabled UNTRUST zone leading to the Internet. This default gateway import is unidirectional, utilizing the established flow for return traffic.

Figure 1 demo setup topology

Figure 1 demo setup topology

Summary of Steps

In summary, the approach involves the administrator of the entire setup to:

  • Enroll the SRX into a CloudATP realm called, for example, DNSF-ROOT.
  • Follow this with the creation of two additional CloudATP realms, DNSF-T1 and DNSF-T2, which are attached to DNSF-ROOT.
  • In the Managed Security Services Provider (MSSP) style DNSF-ROOT realm, assign VRs T1 and T2 to the corresponding realms. 
  • Once the SRX-CloudATP setup is complete, establish API tokens for the tenant realms.
  • Follow this with the SRX-side feed and enforcement configuration.
  • Complete the API data load and verification as the final steps.

In this specific example, a challenging aspect of DNS is the use of encryption methods such as DNS over TLS (DoT) and DNS over HTTPS (DoH) by clients, which can evade DNS filtering. This topic will be discussed in the Encrypted DNS section.

CloudATP Setup

The prerequisite is either a commercial Premium CloudATP tier or any Premium trial assigned on the cloud side to the physical SRX serial number. In the case of vSRX, Premium entitlement to the software serial number of the ATP license on the cloud side is required. For vSRX, a Trial license set can be immediately used by registered users.

To establish a Cloud ATP realm, a Juniper account must be used in the corresponding region selected on the global CloudATP page.  

Figure 2 CloudATP realm setup

Figure 2 CloudATP realm setup

In the next step, the SRX device needs to be enrolled by executing the proposed request command in the SRX CLI:

Figure 3 CloudATP SRX enrollment

Figure 3 CloudATP SRX enrollment

Sidenote: in case of enrollment issues, the output can be compared to the successful enrollment output provided in Appendix 2.

Upon CloudATP enrollment, the list of devices will include the actual physical or virtual SRX, as well as arbitrary devices representing routing instances:

Figure 4 list of enrolled SRX devices

Figure 4 list of enrolled SRX devices

CloudATP Tenant Realms

In the next steps, realms for attaching to the DNSF-ROOT realm need to be created from the initial CloudATP page using the same process for both DNSF-T1 and DNSF-T2, as there is no separate process for subordinate realms:

Figure 5 setup of subordinate realms

Figure 5 setup of subordinate realms

Newly created realms must be attached in the DNSF-ROOT under Misc Configuration/Realm Management:

Figure 6 sub-ordinate realm attachment

Figure 6 sub-ordinate realm attachment

After attaching the realms, a drop-down for realm selection will be available in the upper right corner of the DNSF-ROOT:

Figure 7 selection of realms from DNSF-ROOT

Figure 7 selection of realms from DNSF-ROOT

As the next step, in the DNSF-ROOT realm management, device association (Virtual Routers) to realms is configured:

Figure 8 assignment of devices to sub-ordinate realm

Figure 8 assignment of devices to sub-ordinate realm

For example, the resulting list of MSSP-style realms and their associated VR devices:

Figure 9 device association to sub-ordinate realms

Figure 9 device association to sub-ordinate realms

Naturally, when logging in as the DNSF-T1/T2 admin, the management scope is limited to the specific realm, with no realm selection drop-down available:

Figure 10 device view from sub-ordinate realm

Figure 10 device view from sub-ordinate realm

CloudATP API Setup

As noted in the introduction, the purpose of the API is to provide a programmatic approach to loading a custom list of prohibited domains. In an MSSP environment, one tenant may permit certain domains while others may block them, with each having separate API access. 

For the next steps, create folders representing tenants on a Linux/Unix machine equipped with bash and curl, e.g., demo-dnsf-t1 and demo-dnsf-t2.

API token setup is done individually at the tenant realm, either by selecting a particular realm from DNSF-ROOT or by logging in directly. API tokens are created in Administration under Application Tokens:

Figure 11 API token setup

Figure 11 API token setup

Insert the individual API tokens for both tenants into the api-token.txt file located in the corresponding folder created in the previous step:

# echo "DNSF-T1-API-TOKEN" > demo-dnsf-t1/api-token.txt 
# echo "DNSF-T2-API-TOKEN" > demo-dnsf-t2/api-token.txt 

The Juniper Threat Intelligence Open API (documentation) offers a patch option for manipulating feed data (recommended method); however, the easiest option for a lab trial is to recreate the feed object.

A simple one-liner script, api-create-feed.sh, taking the first argument as the DNS feed name and the second as the submitted file containing domain names, may look as follows:

#!/bin/bash
curl --form file=@$2 --request POST \
--url https://threat-api.sky.junipersecurity.net/v2/cloudfeeds/DNS/file/$1 \
--header "Authorization: Bearer `cat api-token.txt`" \

Similarly, here is a one-liner api-delete-feed.sh script for deleting the DNS feed, which accepts the DNS feed name as the first argument:

#!/bin/bash
curl --request DELETE \
  --url https://threat-api.sky.junipersecurity.net/v2/cloudfeeds/DNS/param/$1 \
  --header "Authorization: Bearer `cat api-token.txt`" \
  --header 'Content-Type: multipart/form-data' \
  --form 'server=*'

For example, the domains.txt file contains a list of arbitrary sample domains with a threat level of 10 (which can be referenced in policies in terms of actions).

smartweb2595.com,10
newstore1460.com,10
topapp5226.com,10
topstore7658.com,10
newapp5634.com,10
topweb8022.com,10
happyzone8922.com,10
smartzone3594.com,10
smartspace9672.com,10
newstore4752.com,10

Finally, this may be a simple wrapper script, xreload_feed.sh, that calls the previously created one-liner scripts for creating and deleting the feed for DNSF-T2:

#!/bin/bash
./api-delete-feed.sh demo_dnsf_t2
./api-create-feed.sh demo_dnsf_t2 domains.txt

Sample reload of DNS feeds for both tenants from their corresponding folders:

demo-dnsf-t1# ./xreload_feed.sh 
{"message":"Successfully deleted feed.","request_id":"0bd1e788-f2ab-41c6-b6c1-2d8aee6b8c58"}
{"request_id":"7a0fdadb-9850-4061-8192-d45fc6178c33"}

demo-dnsf-t2# ./xreload_feed.sh
{"message":"Successfully deleted feed.","request_id":"6a0096e7-2411-445d-8c10-be12b740e534"}
{"request_id":"73fa6064-33ec-4ea7-bec9-20b16fac2128"}

SRX Settings

In addition to the sample base configuration available in Appendix 1, the following configuration sets up the SRX Security Intelligence to use the API-created feeds. All matching DNS domain requests flagged with a threat level of 10 will be discarded and logged:

set services security-intelligence profile t1 category DNS
set services security-intelligence profile t1 rule 1 match feed-name demo_dnsf_t1
set services security-intelligence profile t1 rule 1 match threat-level 10
set services security-intelligence profile t1 rule 1 then action block drop
set services security-intelligence profile t1 rule 1 then log
set services security-intelligence profile t2 category DNS
set services security-intelligence profile t2 rule 1 match feed-name demo_dnsf_t2
set services security-intelligence profile t2 rule 1 match threat-level 10
set services security-intelligence profile t2 rule 1 then action block drop
set services security-intelligence profile t2 rule 1 then log

Sidenote: if the Juniper-supplied DNS threat feed is not used in any other profile, the following configuration can be used to disable it:

set services security-intelligence global-disable-feed feed-name global_dns

Then, the profiles are referenced by the Security Intelligence policy:

set services security-intelligence policy t1 DNS t1
set services security-intelligence policy t2 DNS t2

And Security Intelligence policies are referenced by the actual firewall policies:

edit security policies
set from-zone t1 to-zone common policy t1 then permit application-services security-intelligence-policy t1
set from-zone t2 to-zone common policy t2 then permit application-services security-intelligence-policy t2

To receive Secintel logs in the CloudATP portal via the data plane channel, the source interface needs to be specified due to the use of a non-default routing table towards the Internet. Additionally, for simple on-box logging, the JWeb report infrastructure can be used:

set services advanced-anti-malware connection source-interface ge-0/0/0.0   
set security log report

The first place to verify whether the DNS feeds have been loaded is in the summary view of Secintel categories, where 'Vrf name' represents the Virtual Router attribute of the feed. Internally, the SRX adds an extra dimension of the routing instance to the feeds received from the CloudATP DNSF-ROOT realm:

> show services security-intelligence category summary    

Category name     :DNS
  Status          :Enable
  Description     :DNS sinkhole
  Update interval :60s
  TTL             :3456000s
  Feed name       :demo_dnsf_t1
    logical-system:root-logical-system
    Vrf name      :vr-t1
    Version       :20241125.0
    Objects number:10
    Create time   :2024-11-25 09:33:50 CET
    Update time   :2024-11-25 09:40:27 CET
    Update status :Store succeeded
    Expired       :No
    Status        :Active
    Options       :N/A
  Feed name       :demo_dnsf_t2
    logical-system:root-logical-system
    Vrf name      :vr-t2
    Version       :20241125.0
    Objects number:10
    Create time   :2024-11-25 09:34:58 CET
    Update time   :2024-11-25 09:40:27 CET
    Update status :Store succeeded
    Expired       :No
    Status        :Active
    Options       :N/A

The content of the feed for the DNS category can be viewed as follows:

> show services security-intelligence category detail category-name DNS feed-name demo_dnsf_t1     

Category name   :DNS
  Feed name     :demo_dnsf_t1
  logical-system:root-logical-system
  Vrf name      :vr-t1
  Version       :20241125.0
  Objects number:10
  Create time   :2024-11-25 09:33:50 CET
  Update time   :2024-11-25 09:41:03 CET
  Update status :Store succeeded
  Expired       :No
  Options       :N/A
  { url:coolsite3022.com threat_level:10}
  { url:fastweb7639.com threat_level:10}
  { url:greatsite8880.com threat_level:10}
  { url:greattech2443.com threat_level:10}
  { url:happyworld5071.com threat_level:10}
  { url:mytech2524.com threat_level:10}
  { url:newapp1289.com threat_level:10}
  { url:smartweb881.com threat_level:10}
  { url:smartworld7813.com threat_level:10}
{ url:topworld938.com threat_level:10}

Verification 

One of the many options is to validate using the host command (from the bind9-host package). DNS resolution works for juniper.net, but times out for the hostname listed in the feed:

# host juniper.net
juniper.net has address 44.224.71.252

# host coolsite3022.com
;; connection timed out; no servers could be reached


Sidenote: in the case of an allowed DNS query to a non-existent domain, an NXDOMAIN status would be returned.

Secintel counters indicate the actions taken per DNS query type:

> show services security-intelligence dns-statistics profile t1    

Category DNS:
  Profile t1:
  DNS Query Type       Requests      Sinkhole      Drop          Permit        Log

UDP Counter:
            A              4             0             2             0            2
         AAAA              1             0             0             0            0
           MX              1             0             0             0            0
        CNAME              0             0             0             0            0
          SRV              0             0             0             0            0
    SRV NoErr              0             0             0             0            0
          TXT              0             0             0             0            0
    TXT NoErr              0             0             0             0            0
          ANY              0             0             0             0            0
         MISC              0             0             0             0            0
<SNIP>
      Total              6             0             2             0            2

Details about the drop can be found in the SRX logs:

> show security log report in-detail dns threat-severity 10
    
2024-11-30T19:26:44 vsrx-dnsf RT_SECINTEL - DNSF_ACTION_LOG [sub-category="custom" query-type="A" protocol-id="17" feed-name="demo_dnsf_t1" source-address="10.1.1.10" destination-address="1.1.1.1" category="dns" query="coolsite3022.com" action="drop" source-port="58866" destination-port="53" policy-name="t1" profile-name="t1" username="N/A" session-id="10" source-zone-name="t1" destination-zone-name="common" threat-severity="10"]

And the corresponding CloudATP realm log:

Figure 12 CloudATP tenant DNS action view

Figure 12 CloudATP tenant DNS action view

In the case of no logs appearing in the CloudATP realm, the first place to check is the CloudATP data plane connection to see if there is any active connection, as shown below:

> show services advanced-anti-malware status 

Server connection status:
  Server hostname: srxapi.eu-west-1.sky.junipersecurity.net
  Server realm: demo-dnsf-root
  Server port: 443
  Proxy hostname: None
  Proxy port: None
    Control Plane:
      Connection time: 2024-11-25 10:20:44 CET
      Connection status: Connected
    Service Plane:
      master
       Connection active number: 1
      Connection retry statistics: 1

Encrypted DNS 

Obviously, encrypted DNS, such as DoH and DoT, evades filtering unless interception capability exists. Another method is to prohibit encrypted DNS communication and allow the clients to fall back to traditional unencrypted DNS. 

The following would reconfigure Tenant 1 policies to reject the L7 meta-application DNS-ENCRYPTED, representing DoH and DoT, and turn classic firewall rules into a unified NGFW style by using dynamic-application match:

delete security policies from-zone t1 to-zone common
edit security policies from-zone t1 to-zone common
set policy t1-reject match source-address any
set policy t1-reject match destination-address any
set policy t1-reject match application any
set policy t1-reject match dynamic-application junos:DNS-ENCRYPTED
set policy t1-reject then reject
set policy t1-reject then log session-init
set policy t1 match source-address any
set policy t1 match destination-address any
set policy t1 match application any
set policy t1 match dynamic-application any
set policy t1 then permit application-services security-intelligence-policy t1
set security policies global policy reject-log match dynamic-application any

Sample logs of Application Firewall reject action for DoH:

> show security log report in-detail session deny 
                   
2024-11-30T19:27:43 vsrx-dnsf RT_FLOW - RT_FLOW_SESSION_DENY [application="SSL" source-address="10.1.1.10" destination-address="8.8.8.8" nested-application="DNS-ENCRYPTED" username="10.1.1.10" policy-name="t1-reject" packet-incoming-interface="ge-0/0/1.181" source-zone-name="t1" destination-zone-name="common" session-id="13" source-port="35058" destination-port="443" protocol-id="TCP" reason="Rejected by policy"]

Appendix: Configurations 

Appendix 1 – base SRX config

set version 24.2R1-S1.10
set system host-name vsrx-dnsf
set system syslog file messages any any
set system syslog file messages archive size 5m
set system syslog file messages archive files 5
set services application-identification
set security log mode stream
set security alg h323 disable
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg rtsp disable
set security alg sccp disable
set security alg sip disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable
set security flow tcp-session strict-syn-check
set security nat source rule-set common from zone t1
set security nat source rule-set common from zone t2
set security nat source rule-set common to zone common
set security nat source rule-set common rule common match source-address 0.0.0.0/0
set security nat source rule-set common rule common match destination-address 0.0.0.0/0
set security nat source rule-set common rule common then source-nat interface
set security policies from-zone t1 to-zone common policy t1 match source-address any
set security policies from-zone t1 to-zone common policy t1 match destination-address any
set security policies from-zone t1 to-zone common policy t1 match application any
set security policies from-zone t1 to-zone common policy t1 then permit
set security policies from-zone t2 to-zone common policy t2 match source-address any
set security policies from-zone t2 to-zone common policy t2 match destination-address any
set security policies from-zone t2 to-zone common policy t2 match application any
set security policies from-zone t2 to-zone common policy t2 then permit
set security policies global policy reject-log match source-address any
set security policies global policy reject-log match destination-address any
set security policies global policy reject-log match application any
set security policies global policy reject-log match to-zone common
set security policies global policy reject-log then reject
set security policies global policy reject-log then log session-init
set security zones security-zone common interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone t1 interfaces ge-0/0/1.181 host-inbound-traffic system-services ping
set security zones security-zone t1 tcp-rst
set security zones security-zone t2 interfaces ge-0/0/1.182 host-inbound-traffic system-services ping
set security zones security-zone t2 tcp-rst
set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.10/24
set interfaces ge-0/0/1 vlan-tagging    
set interfaces ge-0/0/1 unit 181 vlan-id 181
set interfaces ge-0/0/1 unit 181 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 182 vlan-id 182
set interfaces ge-0/0/1 unit 182 family inet address 10.2.1.1/24
set policy-options policy-statement import-from-common term 1 from instance vr-common
set policy-options policy-statement import-from-common term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement import-from-common term 1 then accept
set policy-options policy-statement import-from-common term 100 then reject
set routing-instances vr-common instance-type virtual-router
set routing-instances vr-common routing-options static route 0.0.0.0/0 next-hop 203.0.113.1
set routing-instances vr-common interface ge-0/0/0.0
set routing-instances vr-t1 instance-type virtual-router
set routing-instances vr-t1 routing-options instance-import import-from-common
set routing-instances vr-t1 interface ge-0/0/1.181
set routing-instances vr-t2 instance-type virtual-router
set routing-instances vr-t2 routing-options instance-import import-from-common
set routing-instances vr-t2 interface ge-0/0/1.182

Appendix 2 – Sample CloudATP Enrollment 

Platform is supported by ATP Cloud: VSRX.
Version 24.2R1-S1.10 is valid for bootstrapping.
Enrolling with ATP Cloud license serial number: 20161111.
Going to enroll single device for VSRX: f8ef568918e0@20161111 with hostname vsrx-dnsf.
Not finding Application Signature DB on this device.
Installing Application Signature DB.
Start downloading Application Signature DB update...
Check Application Signature DB download status...
Wait for Application Signature DB signature download status...
Start installing Application Signature DB update...
Communicate with cloud...
License type for this device: premium.
License of your device will expire in 714 days.
Remove related security-intelligence service configurations...
Remove related advanced-anti-malware service configurations...
Remove related SSL service configurations...
Remove related PKI configurations...
Clear local certificate aamw-srx-cert...
Clear key pair: aamw-srx-cert...
Clear CA profile aamw-cloud-ca...
Clear CA profile aamw-secintel-ca...
Configure CA...
Request aamw-secintel-ca CA...
Wait aamw-secintel-ca CA download status...
Load aamw-secintel-ca CA...
Request aamw-cloud-ca CA...
Wait aamw-cloud-ca CA download status...
Load aamw-cloud-ca CA...
Retrieve CA profile aamw-ca...
CA certificate ready: aamw-ca...
CA certificate ready: aamw-cloud-ca...
CA certificate ready: aamw-secintel-ca...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server...
Configure SSL service...
Configuration added successfully for SSL service.
Configure advanced-anti-malware service...
Configuration added successfully for advanced-anti-malware service.
Configure security-intelligence service...
Configuration added successfully for security-intelligence service.
Check configuration on device...
SSL profile:                          [OK]
SecIntel CA:                          [OK]
Cloud CA:                             [OK]
Client cert found:                    [OK]
SSL profile action:                   [OK]
URL for advanced-anti-malware:        [OK]
Profile for advanced-anti-malware:    [OK]
URL for security-intelligence:        [OK]
Profile for security-intelligence:    [OK]
All configurations are correct for enrollment.
Communicate with cloud...
Wait for aamw connection status...
Device enrolled successfully!
Please see following links for more information:
ATP Cloud sample config:
 https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/example/configuration/sky-atp-policy-creating-cli.html
ATP Cloud quick start guide:
 http://www.juniper.net/documentation/en_US/release-independent/sky-atp/information-products/topic-collections/sky-atp-qsg.pdf
ATP Cloud technical documents:
 http://www.juniper.net/documentation/en_US/release-independent/sky-atp/information-products/pathway-pages/index.html
It is recommended to run diagnostic process with the following cli command to make sure all configurations are valid:
 request services advanced-anti-malware diagnostics srxapi.eu-west-1.sky.junipersecurity.net detail

Conclusion

The discussed feature set brings the following benefits:

  • Strengthens defense by allowing organizations to block or sinkhole malicious DNS queries with precision.
  • Allows combining vendor-provided intelligence with custom threat feeds to address unique business risks.
  • Facilitates granular threat intelligence enforcement for multiple tenants on a single SRX device, reducing infrastructure complexity and costs.
  • Empowers tenants with independent control, visibility, and API access, improving customer satisfaction in managed service environments.

Useful Links

Glossary

  • API: Application Programming Interface
  • ATP: Advanced Threat Prevention
  • CLI: Command Line Interface
  • DNS: Domain Name System
  • DoH: DNS over HTTPS
  • DoT: DNS over TLS
  • GUI: Graphical User Interface
  • HTTPS: Hyper Text Transfer Protocol Secure
  • MSSP: Managed Security Services Provider
  • NGFW: Next Generation Firewall
  • TLS: Transport Layer Security
  • VR: Virtual Router

Acknowledgments

All the people who provided valuable feedback – Mark Barrett, Kelly Brazil, Tim Carlens, Javier Grizzuti, Steven Jacques, Matthijs Nagel - and others from team JNPR! Finally, vSRX/SRX dev and product teams for delivering the Swiss army knife for security and networking.

Comments

If you want to reach out for comments, feedback, or questions, drop us an email at:

Revision History

Version Author(s) Date Comments
1 Karel Hendrych December 2024 Initial Publication


#SolutionsandTechnology

Permalink