The security device incorporates Domain Name System (DNS) support, allowing you to use domain names for identifying locations. DNS translation supports the following services:
|
|
Note: The server IP addresses for each service above must also accept domain names.
A DNS keeps a table of the IP addresses associated with domain names. Using DNS makes it possible to reference locations by domain name (such as www.juniper.net) instead of using the routable IPv4 or IPv6 address. For example, the IPv4 address of the DNS server for www.juniper.net is 207.17.137.68.
You can also specify a source (src) interface for the DNS server. When you specify a source interface on the security device, DNS request packets, which are initiated from within the system by the DNS module, are treated as if they are received externally from the source interface you set. With the source interface specified, DNS request packets as with user packets trigger firewall policy lookup and are handled according to the rules of the policy. The source interface can be any interface that matches the zone.
Before you can use DNS names with the services described above, you must configure DNS servers.
Enter the necessary information:
Host Name: Enter the name of the security device. The default name is based on the model of the device, for example ns208, ns500.
Domain Name: Enter the domain name. You must fill this in if you want Domain Name System (DNS) name/address resolution to work.
Primary DNS Server: Enter the IP address of your primary DNS server. To enhance security, specify a Src Interface to trigger policy lookup for DNS requests.
Secondary DNS Server: Enter the IP address of your secondary DNS server. To enhance security, specify a Src Interface to trigger policy lookup for DNS requests.
Tertiary DNS Server: Enter the IP address of your tertiary DNS server. To enhance security, specify a Src Interface to trigger policy lookup for DNS requests.
DNS refresh every day at: Allows you to specify a daily time (in 24 hour format) or an interval of time at which the NetScreen device resolves DNS settings.
Clicking the Refresh button forces the device to do a DNS lookup. For more information on the functions of the Refresh button, see "DNS Lookup".
Click Apply to save your configuration.
Security device lookup is subject to several conditions:
DNS lookup is performed as soon as you click Apply or OK on a page that supports DNS.
When DNS lookup returns multiple entries, the address book accepts all entries. The other services mentioned in Domain Name System Support accept only the first entry.
When you refresh a lookup using the Refresh button, the device reinstalls all policies if it finds that anything in the domain name table has changed.
The device must complete a new lookup once a day (this process can be automated, through DNS refresh every day at and Interval 4, 8, 12, or 24 Hours).
If the DNS server fails, the device looks up everything again.
If a lookup fails, the device removes the entry from the cache table.
If the domain-name lookup fails when you are adding an address to the address book or using a hostname (or hostname + domain name) to define the address of a remote VPN gateway, the device displays an error message and prompts you decide whether or not you want to continue adding the entry to the address book.
To view a DNS lookup report, click Show DNS Table. The report lists the following information:
IP Address: Indicates the IP address(es) of the domain.
Status: Indicates whether or not the lookup was successful.
Last Lookup: Indicates the date and time of the last DNS lookup.