Juniper SRX Dynamic VPN Guide Juniper SRX System services - DNSHere we gathered all necessary commands for setting up Juniper SRX System services – DNS and it’s features: DNSSEC, DNS-proxy and split-DNS. Let’s begin with basic configuring:

To configure the TTL value for a DNS server cache:

Specify the maximum TTL value for cached responses, in seconds.

Specify the maximum TTL value for negative cached responses, in seconds.

Juniper SRX System services – DNS – Split DNS

The split DNS proxy feature allows you to configure your proxy server to split the DNS
query based on both the interface and the domain name. You can also configure a set
of name servers and associate then with a given domain name

Set a default domain name, and specify global name servers according to their IP addresses:

Juniper SRX System services – DNS – DDNS

Servers protected by the device remain accessible despite dynamic IP address changes. For example, a protected Web server continues  to be accessible with the same hostname, even after the dynamic IP address is changed because of address reassignment by the Dynamic Host Configuration Protocol (DHCP)
or Point-to-Point Protocol (PPP) by Internet service provider (ISP).

Juniper SRX System services – DNS – DNS Proxy

Enable DNS proxy on a logical interface:



Juniper SRX System services – DNS – DNSSEC

You can configure secure domains and assign trusted keys to the domains. Both signed
and unsigned responses can be validated when DNSSEC is enabled.
When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned
responses to that domain are ignored and the server returns a SERVFAIL error code to
the client for the unsigned responses. If the domain is not configured as a secure domain,
unsigned responses will be accepted.
When the server receives a signed response, it checks if the DNSKEY in the response
matches any of the trusted keys that are configured. If it finds a match, the server accepts
the signed response.

Reference: Administration Guide for Security Devices