1

I am trying to help someone out who has a Juniper SRX550. What we want to do is to block outbound port 53 on the DHCP pool, and only outbound port 53 except for the name-server that is set for the DHCP pool (in this case the IPs are set to OpenDNS, but I don’t think that is relevant.

set system services dhcp pool 10.0.0.0/24 name-server 208.67.222.222

Set the name-server, but I have been unable to find a way to block outbound DNS that aren’t going to the OpenDNS servers.

This is what the config looks like currently:

dhcp {
    pool 10.0.0.0/24 {
        address-range low 10.0.0.10 high 10.0.0.254;
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        router {
            10.0.0.1;
        }
    }
}
SegFault
  • 2,526
  • 4
  • 21
  • 41
lbutlr
  • 414
  • 6
  • 18

2 Answers2

1

Add firewall rules that deny port 53 access to all IP's other than the OpenDNS server.

Sean Thorburn
  • 1,728
  • 17
  • 31
  • Yes, but what is need is how to do that on the juniper so that the dhcp pool can access only the preset DNS and no other. – lbutlr Feb 17 '16 at 20:02
1

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match source-address "name of DHCP range in address list"

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match destination-address "name of DNS server in address list"

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match application [ junos-dns-tcp junos-dns-udp ]

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" then permit

set security policies global policy DNS_Block match source-address "name of DHCP range in address list"

set security policies global policy DNS_Block match application [ junos-dns-tcp junos-dns-udp ]

set security policies global policy DNS_Block then deny

Huy Vũ Trần
  • 26
  • 1