我是Juniper产品的新手,所以这可能是一个愚蠢的问题,但我无法在Internet上find任何答案….
通常,我的实验室环境是示例,一个启用了DHCP的受信任区域和一个具有双WAN IP的不受信任区域,我的目标是让受信任区域使用Internet
我的PC从SRX DHCP获取IP地址(完整configuration可以在这篇文章的末尾find):
在我的电脑上configuration
DHCP Enabled: Yes IPv4 Address: 192.168.1.2 IPv4 Subnet Mask: 255.255.255.0 IPv4 Default Gateway: 192.168.1.1 IPv4 DHCP Server: 192.168.1.1 IPv4 DNS Server: 192.168.1.1 testing结果与上述设置
C:\Users\user>nslookup Default Server: UnKnown Address: 192.168.1.1 > google.com Server: UnKnown Address: 192.168.1.1 *** UnKnown can't find google.com: No response from server C:\Users\user>ping 8.8.4.4 Pinging 8.8.4.4 with 32 bytes of data: Reply from 8.8.4.4: bytes=32 time=4ms TTL=52 Reply from 8.8.4.4: bytes=32 time=4ms TTL=52 Reply from 8.8.4.4: bytes=32 time=4ms TTL=52 Ping statistics for 8.8.4.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 4ms, Average = 4ms Control-C ^C C:\Users\user>ping google.com Ping request could not find host google.com. Please check the name and try again.
基于观察到的结果,我的电脑有互联网连接,但不能查找DNSlogging,但我有configurationDNS名称服务器在SRX,发现它可以用腻子查找DNSlogging
telnet@SRX-A> traceroute google.com.hk inet traceroute to google.com.hk (216.58.221.227), 30 hops max, 40 byte packets 1 123-123-123-254.static.hk.net (123.123.123.254) 8.488 ms 9.140 ms 9.889 ms 2 yckfb001.netvigator.com (203.198.7.179) 10.088 ms 9.899 ms 9.494 ms 3 n219076107190.netvigator.com (219.76.107.190) 9.552 ms 9.673 ms 9.445 ms 4 218.102.21.53 (218.102.21.53) 9.748 ms 9.872 ms 9.520 ms 5 wtsc3a054.netvigator.com (218.102.40.54) 10.259 ms 10.171 ms 9.045 ms 6 tenge8-1.br01.hkg15.pccwbtn.net (63.218.211.97) 20.303 ms 19.483 ms 19.979 ms 7 72.14.219.25 (72.14.219.25) 9.527 ms 20.102 ms 9.284 ms 8 209.85.241.56 (209.85.241.56) 20.241 ms 19.139 ms 9.785 ms 9 209.85.240.205 (209.85.240.205) 19.789 ms 9.647 ms 9.777 ms 10 hkg07s21-in-f227.1e100.net (216.58.221.227) 19.827 ms 19.441 ms 9.783 ms
以下是完整的configuration文件:
## Last changed: 2015-11-11 15:38:50 UTC version 12.1X44-D35.5; groups { node0 { system { host-name SRX-A; backup-router 10.3.5.254 destination 192.168.1.0/24; } interfaces { fxp0 { unit 0 { family inet { address 10.3.5.1/24; } } } } } node1 { system { host-name SRX-B; backup-router 10.3.5.254 destination 192.168.1.0/24; } interfaces { fxp0 { unit 0 { family inet { address 10.3.5.1/24; } } } } } } apply-groups "${node}"; system { root-authentication { encrypted-password "$1$UxtwVlQz$JTySdQwlJvLVmR4KpA64O."; } name-server { 8.8.8.8; 8.8.4.4; } login { user telnet { full-name telnet; uid 2000; class super-user; authentication { encrypted-password "$1$t5x8eCya$egeoCAw3IsfAfaJT0XdxW0"; } } } services { telnet; web-management { http { interface [ reth0.0 reth1.0 reth2.0 ]; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; name-server { 192.168.1.1; } } } } } chassis { cluster { reth-count 3; redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; interface-monitor { ge-0/0/4 weight 255; ge-5/0/4 weight 255; ge-0/0/5 weight 255; ge-5/0/5 weight 255; ge-0/0/6 weight 255; ge-5/0/6 weight 255; } } } } interfaces { ge-0/0/4 { gigether-options { redundant-parent reth0; } } ge-0/0/5 { gigether-options { redundant-parent reth1; } } ge-0/0/6 { gigether-options { redundant-parent reth2; } } ge-5/0/4 { gigether-options { redundant-parent reth0; } } ge-5/0/5 { gigether-options { redundant-parent reth1; } } ge-5/0/6 { gigether-options { redundant-parent reth2; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 192.168.1.1/24; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 123.123.123.74/24; } } } reth2 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 123.123.123.75/24; } } } } routing-options { static { route 0.0.0.0/0 { next-hop 123.123.123.254; qualified-next-hop 123.123.123.254 { preference 7; } preference 5; } } } security { nat { source { rule-set rs1 { from zone Trusted; to zone Untrusted; rule r1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Trusted to-zone Untrusted { policy Outside { match { source-address any; destination-address any; application any; } then { permit; } } policy internet-access { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone Trusted { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone Untrusted { host-inbound-traffic { system-services { all; } } interfaces { reth1.0; reth2.0; } } } }
我没有看到任何configuration使SRX执行DNS代理。 它可以出去,因为你给它的名字服务器,但没有把它传递给客户端。
试试这个网页: http : //www.juniper.net/documentation/en_US/junos12.1×46/topics/concept/dns-proxy-device-configuration-overview.html
DNS proxy configuration Enable DNS proxy on a logical interface. [edit system services] user@host# set dns dns-proxy interface ge-0/0/1.0 Set a default domain name, and specify global name servers according to their >IP addresses. [edit system services] user@host# set dns dns-proxy default-domain * forwarders 172.17.28.100 If you are done configuring the device, commit the configuration. [edit] user@host# commit To verify if the configuration is working properly, execute the show command. user@hostshow system services dns dns-proxy