Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure DNS Sinkhole

To configure DNS sinkhole for disallowed domains:

  1. Configure DNS profile. In this example, the profile name is dns-profile. For allowlisted feed dns-feed-1, the DNS request is logged and access is allowed. For custom DNS feed custom-dns-feed-1, the DNS request is configured for sinkholing.

    [edit services]

    user@host# set security-intelligence profile dns-profile category DNS

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match feed-name dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 2

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 3

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 4

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 5

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 6

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 7

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action permit

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then log

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match feed-name custom-dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 8

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 9

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 10

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action sinkhole

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then log

  2. (Optional) Configure DNS sinkhole server. We will set the domain name for the DNS sinkhole server as sinkhole.junipernetworks.com.

    [edit services]

    user@host# set dns-filtering sinkhole fqdn sinkhole.junipernetworks.com

    Note:
    • The FQDN value sinkhole.junipernetworks.com is provided as an example, do not use it in actual configuration.

    • If you do not configure the DNS sinkhole server, then by default, the sinkhole IP address that is hosted on the SRX firewall acts as the sinkhole server.

  3. Configure DNS policy.

    [edit services]

    user@host# set security-intelligence policy dns-policy category DNS security-intelligence-profile dns-profile

  4. Configure a security policy and assign the DNS policy to the security policy.

    [edit security]

    user@host# set policies from-zone trust to-zone untrust policy security-policy match source-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy match destination-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy> match application any

    user@host# set policies from-zone trust to-zone untrust policy security-policy then permit application-services security-intelligence-policy dns-policy

  5. (Optional) To stream the DNS logs, use the following command:

    [edit security]

    user@host# set log stream <dnsf-stream-name> category dnsf

To display DNS statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics logical-system logical-system-name

  • show services security-intelligence dns-statistics tenant tenant-name

To display DNS profile statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics profile p1 logical-system logical-system-name

  • show services security-intelligence dns-statistics profile p1 tenant tenant-name

To display all DNS statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics logical-system all

  • show services security-intelligence dns-statistics tenant all

  • show services security-intelligence dns-statistics

To clear statistics for DNS filtering, use the following commands:

  • clear services security-intelligence dns-statistics logical-system logical-system-name

  • clear services security-intelligence dns-statistics logical-system all

  • clear services security-intelligence dns-statistics