The split DNS proxy feature allows you to configure a set of name servers and associate them to a given domain name. When you query that domain name, the device sends the DNS queries to only those name servers that are configured for that domain name to ensure localization of DNS queries.
You can configure the transport method used to resolve a given domain name—for example, when the device connects to the corporate network through an IPSec VPN or any other secure tunnel. When you configure a secure VPN tunnel to transport the domain names belonging to the corporate network, the DNS resolution queries are not leaked to the ISP DNS server and are contained within the corporate network.
You can also configure a set of default name servers that the device can use to resolve domain names that have no configured name servers associated with them.
Each DNS proxy must be associated with an interface. If an interface has no DNS proxy configuration, all the DNS queries received on that interface are dropped.
Figure 14 demonstrates DNS proxy with split DNS.
Figure 14: DNS Proxy with Split DNS
In the corporate network shown in Figure 14, a PC client that points to the J-series or SRX-series device as its DNS server makes two queries—to www.yahoo.com and to www.intranet.com. The DNS proxy redirects the intranet.com query to the intranet.com DNS server (1.1.1.253), while the yahoo.com query is redirected to the ISP DNS server (209.100.3.130). Although the query for www.yahoo.com is sent to the ISP DNS server as a regular DNS query using clear-text protocols (TCP/UDP), the query for the www.intranet.com domain goes to the intranet’s DNS servers over a secure VPN tunnel.
A split DNS proxy has the following advantages: