Juniper SRX DNS Proxy Configuration (Split-DNS)


, ,

This post is intended to show you how to configure a Juniper SRX to be a DNS proxy for your network. This will allow you to forward DNS queries to both a private DNS server for your local domain and a public DNS server for all other requests.

Using the SRX as a DNS proxy has a few advantages for a network administrator. The first being that if you need to ever change an upstream DNS server pointer, you just need to update the SRX and not all the clients. The second is that if you want to split domain name DNS queries among different DNS servers, you can do that. This is good if you have a .local domain server locally or over a VPN. This will allow you to keep that query local, yet all other requests will go to a public DNS server.

The topology for this lab is as follows:

  • The internal network in this topology is my Home network that is providing access to the Internet.
  • The SRX is configured with DHCP on the UNTRUST side to obtain an IP from my home network.
  • SRX is configured with a static IP of on the TRUST side.
  • SRX is acting as DHCP server for and serving DNS server IP of
  • The SRX is NATing all traffic from TRUST to the UNTRUST interface.
  • Linux host is a simple Ubuntu 16.04 desktop default in EVE-NG.

You can find a copy of the EVE-NG topology as well as the SRX start and final configs in my github repository:

Continue reading