I am trying to help someone out who has a Juniper SRX550. What we want to do is to block outbound port 53 on the DHCP pool, and only outbound port 53 except for the name-server that is set for the DHCP pool (in this case the IPs are set to OpenDNS, but I don’t think that is relevant.
set system services dhcp pool 10.0.0.0/24 name-server 208.67.222.222
Set the name-server, but I have been unable to find a way to block outbound DNS that aren’t going to the OpenDNS servers.
This is what the config looks like currently:
dhcp {
pool 10.0.0.0/24 {
address-range low 10.0.0.10 high 10.0.0.254;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.0.0.1;
}
}
}
set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match source-address "name of DHCP range in address list"
set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match destination-address "name of DNS server in address list"
set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match application [ junos-dns-tcp junos-dns-udp ]
set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" then permit
set security policies global policy DNS_Block match source-address "name of DHCP range in address list"
set security policies global policy DNS_Block match application [ junos-dns-tcp junos-dns-udp ]
set security policies global policy DNS_Block then deny