SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX doesn't resolve internet domain names

  • 1.  SRX doesn't resolve internet domain names

    Posted 07-18-2016 11:28

    I don't know why, but apparently my SRX can't resolve internet domain names, for example www.juniper.net
    I realized this because I created a policy to block some internet pages, but this policy never worked, I had to modify this policy and aggregate the IPv4 of destination page, so I assume that my policy doesn't work because my SRX is not resolving domain names.

     

    If I ping an internet IP via CLI (for example google DNS 8.8.8.8) the response is correct, but if I ping an internet page (for example www.juniper.net) this is what appears:

     

    ping: cannot resolve www.juniper.net: Host name lookup failure

     

    this is my configuration for DNS:

    name-server {
    8.8.8.8;
    8.8.4.4;
    208.67.222.222;
    208.67.220.220;
    }
    name-resolution {
    no-resolve-on-input;


    Do you know what can I be doing wrong? I'm sorry if the answer is too dumb, but I'm still newbie in SRX...

     



  • 2.  RE: SRX doesn't resolve internet domain names

    Posted 07-18-2016 12:30

    Hi

     

    You need to provide more details, maybe your full configuration except passwords and public IPs. I have no problem pinging to www.juniper.net from my SRXs. DNS is also 8.8.8.8. Maybe DNS requests are blocked due to some reason in your network?



  • 3.  RE: SRX doesn't resolve internet domain names

    Posted 07-18-2016 21:41

    When pinging an URL from the RE,the srx need host-inbound-traffic for DNS enabled on the outside facing zone, otherwise the RE will not get the DNS return packets dekivered

     

    regards

     

    alexander



  • 4.  RE: SRX doesn't resolve internet domain names

    Posted 07-19-2016 11:27

    Yes, previously I had configured host-inbound in the internet zone, but it doesn't worked:

     

    host-inbound-traffic {
    system-services {
    https;
    ike;
    ping;
    ssh;
    dns;
    }
    }
    interfaces {
    ge-0/0/14.0 {
    host-inbound-traffic {
    system-services {
    https;
    ike;
    ping;
    ssh;
    dns;



  • 5.  RE: SRX doesn't resolve internet domain names

     
    Posted 07-19-2016 14:23

    First question would be does the firewall support dns names instead IP's in its  source and destination rule sets? Also enabling host inbound services  dns i doubt would work, as the firewall will request a dns  lookup from a random port, and the dns server will reply to that random port, look at your session table under self traffic policy. I would suggest you close that port as you open you RE to dns from the internet. 



  • 6.  RE: SRX doesn't resolve internet domain names

    Posted 07-19-2016 16:01

    The SRX can have address book entries that use FQDN instead of ip addresses.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB20994



  • 7.  RE: SRX doesn't resolve internet domain names

    Posted 07-19-2016 18:45

    Hi,

     

    While pinging the domain name, run the following command to see if the SRX is sending our DNS queries to the server and if we are receiving a response for them :-

     

    >monitor traffic interface <interface_name> matching "host 8.8.8.8"

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 8.  RE: SRX doesn't resolve internet domain names

    Posted 07-19-2016 11:23

    I thought the same, but, apparently, there's nothing from the other side blocking DNS requests, this firewall is directly connected to the device that the ISP delivered with the internet service.

     

    It seems that LAN DNS requests are fine, users can access to internet pages correctly, the problem is only with SRX



  • 9.  RE: SRX doesn't resolve internet domain names

    Posted 07-18-2016 22:52

    Hi,

     

    Please check if you have any firewall filters blockign DNS on your Loopback or External interface.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 10.  RE: SRX doesn't resolve internet domain names

    Posted 09-05-2016 15:35

    Hello, we already resolved this issue, we have to add a source nat from the default routing instance to another routing-instance (virtual router type) and it works. Thank you all for your help.



  • 11.  RE: SRX doesn't resolve internet domain names

    Posted 04-24-2023 15:58

    Can you tell me how you did that because all of a sudden I lost all DNS resolution behind my SRX



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------