If you want your SRX firewall to handle DNS requests on your network, you need to configure the forwarders to make this possible, in addition to a few other parameters.
First, make sure you have no local forwarders set on the device itself as it cannot be used along with the dns-proxy service – if you have any configured, they should be all removed :
delete system services dns forwarders <ip.address>
Then, follow the step-by-step procedure below :
1. Configure the DNS proxy setting on the desired interface(s) where it should listen for DNS requests :
set system services dns dns-proxy interface <logical-interface>
2. Configure the DNS resolver(s) where the requests will be resolved from (aka your ISPs or any public DNS service) :
set system services dns dns-proxy default-domain * forwarders <ip.address>
3. Allow DNS traffic on the security zone :
set security zones security-zone <security-zone> interfaces <logical-interface> host-inbound-traffic system-services dns
4. Apply the configuration (use “commit synchronize” if you are running HA) :
commit comment "configure dns-proxy"
Here is a sample of how it would look like :
set system services dns dns-proxy interface irb.0 set system services dns dns-proxy default-domain * forwarders 8.8.8.8 set system services dns dns-proxy default-domain * forwarders 8.8.4.4 set security zones security-zone LAN interfaces irb.0 host-inbound-traffic system-services dns