SRX 策略控制域名访问
SRX 支持通过策略控制域名访问,但有条件限制:
1. 主机上的 dns 配置必须与 SRX 的 dns 配置一致,不然在解析出多个 IP 的时候可能出现主机和 SRX 解析的 IP
不一致
2. 解析出多个 IP 的数量大于 SRX 缓存列表数量时,未被缓存的 IP 不会命中策略
配置方法:
1. 配置 SRX dns
set system name-server 114.114.114.114
set system name-server 202.106.0.20
2. 配置 dns-name 格式的 address-book
set security zones security-zone untrust address-book address baidu dns-name www.baidu.com
set security zones security-zone untrust address-book address qq dns-name www.qq.com
set security zones security-zone untrust address-book address taobao dns-name www.taobao.com
set security zones security-zone untrust address-book address-set dns-test address www.baidu.com
set security zones security-zone untrust address-book address-set dns-test address www.qq.com
3. 配置策略
###首先要有允许 dns 查找的策略
set security policies from-zone trust to-zone untrust policy dns-permit match source-address any
set security policies from-zone trust to-zone untrust policy dns-permit match destination-address any
set security policies from-zone trust to-zone untrust policy dns-permit match application junos-dns-tcp
set security policies from-zone trust to-zone untrust policy dns-permit match application junos-dns-udp
set security policies from-zone trust to-zone untrust policy dns-permit then permit
###允许访问指定域名的策略,只有在策略中引用 dns-name 的 address,SRX 才会去 dns server 解析
set security policies from-zone trust to-zone untrust policy url-test match source-address 192.168.150.253/32
set security policies from-zone trust to-zone untrust policy url -test match destination-address dns-test
set security policies from-zone trust to-zone untrust policy url -test match application any
set security policies from-zone trust to-zone untrust policy url -test then permit
DNS 缓存:
查看 DNS 缓存:
show security dns-cache
TTL 是该域名在 SRX 上剩余的缓存时间,单位是秒
注意:www.taobao.com 的 address-book 并未在策略中引用,所以 dns-cache 中没有 taobao
清除 DNS 缓存:
clear security dns-cache
执行命令后,www.qq.com 的 TTL 刷新了
策略状态
SRX 上会话状态
说明:SRX 查询 dns 是从 default VR 发起,如果使用 VR,需保证 dns 服务器在 default VR 可达