The dns rule would be from the zone making the request to the zone where the dns request is forwarded.
I would guess the rule above is in the wrong direction, expecting the request to come from the trust zone to the untrust one.
If your dns rule is not working, you can confirm the ports, protocol and ip involved by looking at the session when the allow any rule is in place. This can be without any restriction for the full list or restrict it by the expected source/destination ip address as follows.
show security flow session source-prefix 192.168.1.10/32
This list from the active session would confirm what needs to be included in the policy.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 09-30-2022 13:16
From: MATTHEW LOVELAND
Subject: Security Policies for DNS
Hello Juniper Geniuses,
So, recently I placed a Juniper SRX 340 between my remote sites and my main network. Due to security concerns, I cannot configure a permit "any" rule for my polices between these two locations so each policy application is configured manually in the security policy. But, for some reason or another I cannot get the DNS traffic to work properly. I can RDP to my remote sites and DHCP seems to be working, but whenever I go to login I get an error stating no DNS can be found. I know it is the polices due to the fact that when I put the any rule in for applications the remote workstations login with no issue.
Do I need to put a statement in besides the following to permit DNS through my firewall?
from-zone trust to-zone untrust {
policy IN_TO_OUT {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy OUT_TO_IN {
match {
source-address any;
destination-address any;
application [ junos-dns-tcp junos-dns-udp ];
}
then {
permit;
}
}
}
PS There are other applications allowed, I just narrowed it down here to DNS to make sure I am not missing something
Thanks,
Matt
------------------------------
MATTHEW LOVELAND
------------------------------