We're conflating multiple things here.
Original Message:
Sent: 10-31-2025 16:32
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Correct but why would my Juniper try to route via 10.0.0.20 in the first place? That is a static interface used for my VPN tunnels and doesn't even route to the outside internet. I need the juniper to use 192.168.20.1 as the source for the lookup since that address can access the external internet. Like I said before there is no traffic that comes back when I run the monitor command because the Juniper is dropping it on the way back because it is async from the original path. The flow should go like this: Client query sent to 192.168.20.1 > Juniper recognizes its an external domain > sends requests to 8.8.8.8 via 192.168.20.1 > requests follows the same path back.
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-31-2025 15:28
From: Nikolay Semov
Subject: Juniper SRX300 Split DNS Proxy
The interface you configure under "dns-proxy" specifies which interface is listening for DNS requests for clients, not which interface is used when sending requests to the configured forwarders.
Also, the session output you included shows the SRX is successfully reaching out to the forwarders, so that not the problem.
Please provide a traffic capture (monitor traffic interface ge-0/0/1.0) of one or more complete request-and-response pairs illustrating the problem you're having.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-31-2025 14:37
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
I found the issue I believe! It seems that even though I have the interface selected as ge-0/0/1.0 in my dns-proxy config it is sending the requests out my st0.0 interface which is at 10.0.0.20. See the security flow below that shows this. Is that a Junos bug? In my other site where this dns-proxy works it sends the requests out the correct address specified by the interface in dns-proxy.
Session ID: 90194319426, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
In: 10.0.0.20/58122 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 71,
Out: 8.8.8.8/53 --> EXTERNAL_PUBLIC_IP_HERE/23509;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 349,
Session ID: 85899391940, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
In: 10.0.0.20/61488 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 92,
Out: 8.8.8.8/53 --> EXTERNAL_PUBLIC_IP_HERE/3959;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 308,
Session ID: 85899402554, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
In: 10.0.0.20/49776 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 68,
Out: 8.8.8.8/53 --> EXTERNAL_PUBLIC_IP_HERE/4988;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 329,
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-29-2025 17:31
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Sounds good! I will go through the config again and see if I have any asymmetrical routing problems. I think that is the issue though. Thanks!
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-29-2025 16:20
From: Nikolay Semov
Subject: Juniper SRX300 Split DNS Proxy
Yeah, this will require closer examination of your overall config. If would be useful if you can sanitize it and post it.
One pitfall that comes to mind is that the DNS proxy service on the SRX runs only in the main / default / master routing instance, and you should bind it only to an interface in that routing instance. Even then, though, you can use D-NAT send traffic from other routing instances to the default routing instance so the DNS request can be processed.
If you don't have non-default routing instances configured, then check security zone configuration.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-29-2025 15:49
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Good idea with checking the packet drop records. It shows the following entries between my client and juniper DNS proxy address. Some sort of routing issue for the return traffic maybe?
18:07:49.224371:LSYS-ID-00 192.168.6.1/53-->10.6.120.3/43262;udp,ipid-21005,.local..0,Dropped by FLOW:First path Pkt not syn
18:07:49.222454:LSYS-ID-00 192.168.6.1/53-->10.6.120.3/55432;udp,ipid-21004,.local..0,Dropped by FLOW:First path Pkt not syn
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-29-2025 15:38
From: Nikolay Semov
Subject: Juniper SRX300 Split DNS Proxy
Okay ... can you capture several requests and responses??
Also check "show security packet-drop records" for potentially dropped / rejected DNS traffic.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-29-2025 15:26
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Whoops sorry I didn't mean to include that OUT response. There is no out response for that query in my monitoring it only shows the IN request.
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-29-2025 15:23
From: Nikolay Semov
Subject: Juniper SRX300 Split DNS Proxy
The ServFail response you've included is for a request that you haven't included.
You haven't included the response for the example.com request you've included.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-29-2025 15:05
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Sure thing here are some of the logs I got from monitoring. On my client I ran nslookup example.com.. The captured traffic shows the raw lookup for example.com so that seemed to work just fine from the client however it never resolved. I ran that after cleaning the dns-proxy cache to make sure it was fresh as well. Lookups to my internal domain.com services still worked just fine. I have also tried it with the domain-default options instead of view and that still fails
Monitored traffic:
18:05:45.680748 Out IP (tos 0x0, ttl 64, id 17675, offset 0, flags [none], proto: UDP (17), length: 80) 192.168.6.1.53 > 10.6.120.5.56558: 49934 ServFail 0/0/1 (52)
18:05:45.908969 In IP (tos 0x0, ttl 64, id 11361, offset 0, flags [none], proto: UDP (17), length: 57) 10.6.120.3.33219 > 192.168.6.1.53: 2919+ A? example.com. (29)
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-29-2025 14:46
From: Nikolay Semov
Subject: Juniper SRX300 Split DNS Proxy
Can you share some of what you've captured with "monitor traffic interface"? Did you try configuration without "view internal" ?
------------------------------
Nikolay Semov
Original Message:
Sent: 10-29-2025 11:32
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Unfortunately still no luck. It seems that the Juniper is appending the domain.com to my lookups because if I try to run dig example.com or dig example.com. if fails. If I run dig test.domain.com it works just fine. I also tried getting rid of the domain-name attribute that DHCP hands out and the lookup still fails. I also tried deleting the system domain-name domain.com setting on the juniper. Any other insights would be appreciated! Thanks
------------------------------
ZAKRIS SHMAGRANOFF
Original Message:
Sent: 10-28-2025 19:15
From: eugene1973
Subject: Juniper SRX300 Split DNS Proxy
dns-proxy cache must be working properly for split dns to work correctly. Split dns will still work but not fully proper. For it to work properly the gateway address must be entered in the cache.
Example
c-xx-xxx-xxx-xxx.hsd1.ca.comcast.net inet 192.168.1.1;
It must stick, if the address keeps disappearing then you must keep entering it till it stays entered.
I deal with constant windows dns repairs("diagnose") to keep up with ipv6.
If you have anything before the srx it must be operating properly. I mention this because im working as internal zone only. Not global. It's a problem. I have an approved common wireless gateway first. Xfinity.
Perhaps other things might be problematic in all this, but this is key. Don't forget the forwards here.
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 10-28-2025 16:42
From: ZAKRIS SHMAGRANOFF
Subject: Juniper SRX300 Split DNS Proxy
Hello!
I am trying to get split DNS working correctly. My lookups to my domain work just fine but any other traffic is not going through my domain * forwarders. Also when I look at the cache for dns-proxy it shows that all the entries have an appended domain.com to them. For example test.com would show test.com.domain.com (domain being my internal domain name). Is there anything wrong with my attached proxy config? Or another part of the config I need to change to make this work?
dns {
max-cache-ttl 86400;
max-ncache-ttl 600;
dns-proxy {
interface {
ge-0/0/1.0;
}
view internal {
match-clients 192.168.6.1/24;
match-clients 10.6.100.1/24;
match-clients 10.6.110.1/24;
match-clients 10.6.120.1/24;
match-clients 10.6.130.1/24;
match-clients 10.6.160.1/24;
match-clients 10.6.170.1/24;
match-clients 10.6.190.1/24;
domain domain.com {
forwarders {
192.168.1.24;
192.168.3.24;
}
}
domain * {
forwarders {
8.8.8.8;
8.8.4.4;
}
}
}
}
}
------------------------------
ZAKRIS SHMAGRANOFF
------------------------------