Block a specific port on a Juniper

1k views Asked by At

I am trying to help someone out who has a Juniper SRX550. What we want to do is to block outbound port 53 on the DHCP pool, and only outbound port 53 except for the name-server that is set for the DHCP pool (in this case the IPs are set to OpenDNS, but I don’t think that is relevant.

set system services dhcp pool 10.0.0.0/24 name-server 208.67.222.222

Set the name-server, but I have been unable to find a way to block outbound DNS that aren’t going to the OpenDNS servers.

This is what the config looks like currently:

dhcp {
    pool 10.0.0.0/24 {
        address-range low 10.0.0.10 high 10.0.0.254;
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        router {
            10.0.0.1;
        }
    }
}
2

There are 2 answers

0
Huy Vũ Trần On BEST ANSWER

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match source-address "name of DHCP range in address list"

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match destination-address "name of DNS server in address list"

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" match application [ junos-dns-tcp junos-dns-udp ]

set security policies from-zone "name of the DHCP range zone" to-zone "name of your DNS server zone" then permit

set security policies global policy DNS_Block match source-address "name of DHCP range in address list"

set security policies global policy DNS_Block match application [ junos-dns-tcp junos-dns-udp ]

set security policies global policy DNS_Block then deny

1
Sean Thorburn On

Add firewall rules that deny port 53 access to all IP's other than the OpenDNS server.