Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Security Policies for DNS

    Posted 09-30-2022 13:28
    Hello Juniper Geniuses,

    So, recently I placed a Juniper SRX 340 between my remote sites and my main network. Due to security concerns, I cannot configure a permit "any" rule for my polices between these two locations so each policy application is configured manually in the security policy. But, for some reason or another I cannot get the DNS traffic to work properly. I can RDP to my remote sites and DHCP seems to be working, but whenever I go to login I get an error stating no DNS can be found. I know it is the polices due to the fact that when I put the any rule in for applications the remote workstations login with no issue. 
    Do I need to put a statement in besides the following to permit DNS through my firewall?

    from-zone trust to-zone untrust {
    policy IN_TO_OUT {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy OUT_TO_IN {
    match {
    source-address any;
    destination-address any;
    application [ junos-dns-tcp junos-dns-udp ];
    }
    then {
    permit;
    }
    }
    }


    PS There are other applications allowed, I just narrowed it down here to DNS to make sure I am not missing something

    Thanks,
    Matt

    ------------------------------
    MATTHEW LOVELAND
    ------------------------------


  • 2.  RE: Security Policies for DNS

    Posted 10-01-2022 11:31
    The dns rule would be from the zone making the request to the zone where the dns request is forwarded.

    I would guess the rule above is in the wrong direction, expecting the request to come from the trust zone to the untrust one.

    If your dns rule is not working, you can confirm the ports, protocol and ip involved by looking at the session when the allow any rule is in place. This can be without any restriction for the full list or restrict it by the expected source/destination ip address as follows.

    show security flow session source-prefix 192.168.1.10/32

    This list from the active session would confirm what needs to be included in the policy.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Security Policies for DNS

    Posted 10-05-2022 11:59
    Edited by MATTHEW LOVELAND 10-05-2022 12:01
    Yes,

    But being that there is an any coming from the other direction it still should not be blocking DNS traffic. There is something here that is fishy. I really just want to put allow all traffic because I know this will fix the problem but company policies forbid that. Would you mind providing a sample configuration for what you think would allow DNS traffic to traverse between trust and untrust zones?  Furthermore does it make a difference that the remote ends are thin clients?

    Thanks,
    Matt

    ------------------------------
    MATTHEW LOVELAND
    ------------------------------



  • 4.  RE: Security Policies for DNS

    Posted 10-06-2022 07:45
    Note that security policies on the SRX are direction aware.  So the policy must be correctly done from the dns requester as the from zone and the dns server as the to zone in the policy.

    Having a reverse allow all dns policy will NOT allow the dns traffic to work.

    Policies allow the traffic from the sending direction and put the data into a session table.  The reverse traffic is looked at to match an existing session and only permitted if one exists.

    So your policy to allow dns requests would look like this

    from-zone CLIENTS_REQUESTING to-zone DNS_SERVERS {
    policy DNS_Requests {
    match {
    source-address any;  <<< OR RESTRICT TO CLIENT IP RANGES
    destination-address any;
    application [ junos-dns-tcp junos-dns-udp ];
    }
    then {
    permit;

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Security Policies for DNS

    Posted 10-06-2022 08:44
    Hello Steve,

    Appreciate the help. I was able to figure it out. By default, the security policy was not providing the open ports required for my windows DNS and other services to traverse the network. So, what I did was create an entry under applications that defined custom port rules and then assigned this application-set to the security policy and BAM! fixed the problem.

    Thanks,
    Matt

    ------------------------------
    MATTHEW LOVELAND
    ------------------------------