Monday, 29 October 2012

System Services - DNS

DNS (domain name system) is a hierarchical and distributed system that provides a method to map names into IP addresses. The naming structure looks like domain3.domain2.domain1. Each domain or level of the hierarchy is a zone. Each zone has authoritative DNS Servers which are servers that hold the DNS records for that zone.

DNS Name Breakdown
For example we can break down the DNS address "www.google.com." The following zones exist in this name. We will use a handy tool called NSLookup to find the authoritative servers for each zone. Here is a link to a good web page on NSlookup.

[.] Technically the "." at the end of 'www.google.com.' is the root of the DNS hierarchy. It is implied and is usually appended automatically which is why it is not mandatory to enter a period after the URL.


[com]  is the next zone, below are the authoritative servers. The authoritative name servers here would have a record for google.com.

[google] is the next zone, below are the authoritative servers. The authoritative name servers here would have a record for www.google.com.

[www] is the last zone (technically the last zone is an entity which we want an IP address for). Below the first command is looking up the authoritative name servers for the zone www.google.com. This command requests the IP address of www.google.com.

DNS Lookup Process
The lookup structure we went through above would be called a 'Iterative' lookup. In this type of lookup the first query is done at the root level and individual queries are done as you move up the hierarchy. This lookup is commonly done by DNS servers. The second type of lookup is 'recursive', in this type of lookup a single query is made for 'www.google.com' and a downstream DNS server responds. This downstream DNS server may have the results cached or it may complete an iterative lookup to find the IP address.

Basic DNS Configuration
The diagram below outlines the basic lab topology used to work through this exercise. A Windows 2008 server represents an internal domain server which is authoritative for our domain 'testdns'.


SRX Configuration
The screenshots below outline the configuration steps. The lab domain 'dnstest' is used, and the DNS server IP address is 192.168.1.110.


Results
The CLI output below demonstrates that the SRX successfully resolved the name 'nas'.
The packet captures below display the DNS request and response. Note that the SRX appended 'dnstest' behind the name 'nas'. This is because we have configured the domain-name in the SRX device.


The CLI output and packet captures below demonstrates that the SRX successfully resolved the name 'www.google.com'



Conclusion
This blog post reviewed DNS and basic configuration so that the SRX device could resolve host names. The use case where the SRX would resolve an address on behalf of a client (DNS Proxy) does not seem to be supported. The only information I could find is this knowledge base article [Does Junos Support DNS-Proxy?] outlining that the feature was removed for security reasons. I would like to know if this feature is going to be re-introduced. I can see many use cases where this feature could be used. Anyone have any information on this?

3 comments:

  1. Its weird they removed it but its still there.. I am working on getting named running, I have my zones replicated to it just need to get it to bind to another IP will only bind to 127.0.0.1 :(

    ReplyDelete
  2. SRX branch devices support the DNS proxy starting on Junos 12.1x44D10. I just configured on my 210h and it seems to be working well. The below config let me forward requests to some dns servers at work over a vpn tunnel. I then modify my dhcp options to point to the SRX for DNS, and all is good.

    edit system services dns dns-proxy
    interface {
    vlan.0;
    }
    view ad.domain.com {
    match-clients 192.168.1.0/24;
    domain ad.domain.com {
    forwarders {
    172.16.1.254;
    172.16.1.253;
    }
    }
    }

    ReplyDelete