Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.
The reason I made this post is because of the following;
we have a guest network with a guest portal based on the Juniper UAC . The portal has an SSL certificate and this certificate needs to be issued by a commercial SSL broker like e.g. VeriSign. This way the guests aren't harassed by warnings that the certificate might be invalid. An alternative is to add internal FQDN's to the public certificate with the internal FQDN, but adding the so-called SubjectAlternativeNames add a surplus on the certificate price. Another issue with SAN's is that not every browser obeys the RFC3280 regarding SAN's.
Another problem might pop-up if you want to use your official domain (like portal.juniper.net), and you need the guests to resolve that FQDN on the guest network. Public DNS providers won't allow public FQDN's to have private IP addresses (RFC1918). Hosting this internally on a DNS server might introduce additional DNS administration, or possible security risks (exposing internal DNS infra)
Anyway, each solution requires additional funding, but there is a way around this by using the DNS-Proxy feature in the SRX branche firewalls.
Let's say that we have guest portal (portal.juniper.net) which has the IP address 10.1.1.1. Users in the guest environment also need to access juniper.net resources located on the Internet.
Using the DNS proxy functionality, we need to tell the SRX that when it receives a DNS query for portal.juniper.net it should return IP address 10.1.1.1.. And it needs to return the normal / official public IP addreses for all other juniper.net resources.
To accomplish this we need to do the following:
- Enable DNS-prox, and add the 'cached' resource for portal.juniper.ne (10.1.1.1)
- Enable the DNS proxy functionality n the internal interface.
- Enable/Allow DNS queries on the inside interface / zone
In my case is vlan.0 my internal interface for the guest network. - Allow DNS queries from the SRX to e.g. the Google DNS server (8.8.8.8)
FYI: the SRX host has its own zone called junos-host.
# set system services dns dns-proxy cache test.juniper.net inet 10.1.1.1
# set system services dns dns-proxy interface vlan.0
# set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dns
# set system services dns forwarders 8.8.8.8
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries match source-address any
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries match destination-address any
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries match application junos-dns-udp
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries then permit
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries then log session-init
# set security policies from-zone junos-host to-zone untrust policy DNS-Queries then log session-close
Now the ping results from inside the guest network:
$ ping www.juniper.net
PING www.juniper.net (95.100.183.148): 56 data bytes
64 bytes from 95.100.183.148: icmp_seq=0 ttl=246 time=22.659 ms
64 bytes from 95.100.183.148: icmp_seq=1 ttl=246 time=21.183 ms
--- www.juniper.net ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
$ ping test.juniper.net
PING test.juniper.net (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=246 time=3 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=246 time=3 ms
--- test.juniper.net ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
So there is no need to implement a relative expensive DNS infrastructure for the guest network, or add SAN's to certificate. Just use the present SRX firewall to solve your resolving problems :-).