信任区域中的 Juniper SRX DNS 查找不起作用

信任区域中的 Juniper SRX DNS 查找不起作用

我是 Juniper 产品的新手,所以这可能是一个愚蠢的问题,但我在互联网上找不到任何答案......

一般来说,我的实验室环境是示例,一个启用了 DHCP 的受信任区域和一个具有双 WAN IP 的不受信任区域,我的目标是让受信任区域用于访问互联网

我的电脑从 SRX DHCP 获取 IP 地址(完整配置可在本文末尾找到):

我的电脑上的配置

DHCP Enabled: Yes    
IPv4 Address: 192.168.1.2    
IPv4 Subnet Mask: 255.255.255.0    
IPv4 Default Gateway: 192.168.1.1    
IPv4 DHCP Server: 192.168.1.1    
IPv4 DNS Server: 192.168.1.1

使用上述设置的测试结果

C:\Users\user>nslookup
Default Server:  UnKnown
Address:  192.168.1.1

> google.com
Server:  UnKnown
Address:  192.168.1.1

*** UnKnown can't find google.com: No response from server


C:\Users\user>ping 8.8.4.4

Pinging 8.8.4.4 with 32 bytes of data:
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52

Ping statistics for 8.8.4.4:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C

C:\Users\user>ping google.com
Ping request could not find host google.com. Please check the name and try again.

根据观察到的结果,我的电脑有互联网连接,但无法查找 DNS 记录,但是我在 SRX 中配置了 DNS 名称服务器,发现它可以使用 putty 查找 DNS 记录

telnet@SRX-A> traceroute google.com.hk inet
traceroute to google.com.hk (216.58.221.227), 30 hops max, 40 byte packets
 1  123-123-123-254.static.hk.net (123.123.123.254)  8.488 ms  9.140 ms  9.889 ms
 2  yckfb001.netvigator.com (203.198.7.179)  10.088 ms  9.899 ms  9.494 ms
 3  n219076107190.netvigator.com (219.76.107.190)  9.552 ms  9.673 ms  9.445 ms
 4  218.102.21.53 (218.102.21.53)  9.748 ms  9.872 ms  9.520 ms
 5  wtsc3a054.netvigator.com (218.102.40.54)  10.259 ms  10.171 ms  9.045 ms
 6  tenge8-1.br01.hkg15.pccwbtn.net (63.218.211.97)  20.303 ms  19.483 ms  19.979 ms
 7  72.14.219.25 (72.14.219.25)  9.527 ms  20.102 ms  9.284 ms
 8  209.85.241.56 (209.85.241.56)  20.241 ms  19.139 ms  9.785 ms
 9  209.85.240.205 (209.85.240.205)  19.789 ms  9.647 ms  9.777 ms
10  hkg07s21-in-f227.1e100.net (216.58.221.227)  19.827 ms  19.441 ms  9.783 ms

以下是完整的配置文件:

## Last changed: 2015-11-11 15:38:50 UTC
version 12.1X44-D35.5;
groups {
    node0 {
        system {
            host-name SRX-A;
            backup-router 10.3.5.254 destination 192.168.1.0/24;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.3.5.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX-B;
            backup-router 10.3.5.254 destination 192.168.1.0/24;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.3.5.1/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$UxtwVlQz$JTySdQwlJvLVmR4KpA64O.";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user telnet {
            full-name telnet;
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$t5x8eCya$egeoCAw3IsfAfaJT0XdxW0";
            }
        }
    }
    services {
        telnet;
        web-management {
            http {
                interface [ reth0.0 reth1.0 reth2.0 ];
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                name-server {
                    192.168.1.1;
                }
            }
        }
    }
}
chassis {
    cluster {
        reth-count 3;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            interface-monitor {
                ge-0/0/4 weight 255;
                ge-5/0/4 weight 255;
                ge-0/0/5 weight 255;
                ge-5/0/5 weight 255;
                ge-0/0/6 weight 255;
                ge-5/0/6 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/6 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/6 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 123.123.123.74/24;
            }
        }
    }
    reth2 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 123.123.123.75/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 123.123.123.254;
            qualified-next-hop 123.123.123.254 {
                preference 7;
            }
            preference 5;
        }
    }
}
security {
    nat {
        source {
            rule-set rs1 {
                from zone Trusted;
                to zone Untrusted;
                rule r1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Trusted to-zone Untrusted {
            policy Outside {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone Trusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Untrusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                reth1.0;
                reth2.0;
            }
        }
    }
}

答案1

我没有看到任何配置可以让 SRX 执行 DNS 代理。它可以退出,因为你给了它名称服务器,但没有任何东西可以将其传递给客户端。

尝试这个页面: http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/dns-proxy-device-configuration-overview.html

DNS proxy configuration
Enable DNS proxy on a logical interface.
[edit system services]
user@host# set dns dns-proxy interface ge-0/0/1.0
Set a default domain name, and specify global name servers according to their >IP addresses.
[edit system services]
user@host# set dns dns-proxy default-domain * forwarders 172.17.28.100
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
To verify if the configuration is working properly, execute the show command.
user@hostshow system services dns dns-proxy

相关内容