Configure DNS Sinkhole
To configure DNS sinkhole for disallowed domains:
-
Configure DNS profile. In this example, the profile name is
dns-profile
. For allowlisted feeddns-feed-1
, the DNS request is logged and access is allowed. For custom DNS feedcustom-dns-feed-1
, the DNS request is configured for sinkholing.[edit services]
user@host# set security-intelligence profile dns-profile category DNS
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match feed-name dns-feed-1
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 1
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 2
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 3
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 4
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 5
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 6
user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 7
user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action permit
user@host# set security-intelligence profile dns-profile rule dns-rule-1 then log
user@host# set security-intelligence profile dns-profile rule dns-rule-2 match feed-name custom-dns-feed-1
user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 8
user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 9
user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 10
user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action sinkhole
user@host# set security-intelligence profile dns-profile rule dns-rule-2 then log
-
(Optional) Configure DNS sinkhole server. We will set the domain name for the DNS sinkhole server as
sinkhole.junipernetworks.com
.[edit services]
user@host# set dns-filtering sinkhole fqdn sinkhole.junipernetworks.com
Note:-
The FQDN value
sinkhole.junipernetworks.com
is provided as an example, do not use it in actual configuration. -
If you do not configure the DNS sinkhole server, then by default, the sinkhole IP address that is hosted on the SRX firewall acts as the sinkhole server.
-
-
Configure DNS policy.
[edit services]
user@host# set security-intelligence policy dns-policy category DNS security-intelligence-profile dns-profile
-
Configure a security policy and assign the DNS policy to the security policy.
[edit security]
user@host# set policies from-zone trust to-zone untrust policy security-policy match source-address any
user@host# set policies from-zone trust to-zone untrust policy security-policy match destination-address any
user@host# set policies from-zone trust to-zone untrust policy security-policy> match application any
user@host# set policies from-zone trust to-zone untrust policy security-policy then permit application-services security-intelligence-policy dns-policy
-
(Optional) To stream the DNS logs, use the following command:
[edit security]
user@host# set log stream <dnsf-stream-name> category dnsf
To display DNS statistics for logical systems and tenant systems, use the following commands:
-
show services security-intelligence dns-statistics logical-system logical-system-name
-
show services security-intelligence dns-statistics tenant tenant-name
To display DNS profile statistics for logical systems and tenant systems, use the following commands:
-
show services security-intelligence dns-statistics profile p1 logical-system logical-system-name
-
show services security-intelligence dns-statistics profile p1 tenant tenant-name
To display all DNS statistics for logical systems and tenant systems, use the following commands:
-
show services security-intelligence dns-statistics logical-system all
-
show services security-intelligence dns-statistics tenant all
-
show services security-intelligence dns-statistics
To clear statistics for DNS filtering, use the following commands:
-
clear services security-intelligence dns-statistics logical-system logical-system-name
-
clear services security-intelligence dns-statistics logical-system all
-
clear services security-intelligence dns-statistics