amigan_99
asked on
Juniper SRX Limitations to address objects - dynamic naming with DNS
I was trying to enter a dynamic dns address entryp in my Juniper SRX. But it complained that the name was over 63 character limit. We had earlier tried to put a cname into DNS for this dynamic resolution but it seems that the Juniper only wants A records. Is there any means to work around the 63 character limit? Is it known if using a cname for this functionality should work as well as putting in an A record?
set security zones security-zone untrust address-book address db2-beta dns-name foo-57-foofoo-beta-db-1098 -cluster.c luster-ckd k44ooba4ab 123.us-eas t-1.rds.am azonaws.co m ipv4-only
set security zones security-zone untrust address-book address db2-beta dns-name foo-57-foofoo-beta-db-1098
ASKER
Suppose I had a cname shortername.acme.com which points to
db2-beta dns-name foo-57-foofoo-beta-db-1098 -cluster.c luster-ckd k44ooba4ab 123.us-eas t-1.rds.am azonaws.co m
which has address 100.64.99.99.
Should this work?
set security zones security-zone untrust address-book address shortername.acme.com ipv4-only
I had problems with an address book object that was using a cname such as this. But if it's supposed to work I
could look into it deeper.
db2-beta dns-name foo-57-foofoo-beta-db-1098
which has address 100.64.99.99.
Should this work?
set security zones security-zone untrust address-book address shortername.acme.com ipv4-only
I had problems with an address book object that was using a cname such as this. But if it's supposed to work I
could look into it deeper.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you sir.
Not sure what you mean when you say use CNAME instead of A record; functionality should work?
Even though you would configure a DNS name, the name would be resolved to IP by the SRX using the defined nameserver. It would refresh the name to IP when the DNS TTL expires.
SRX based on source and destination IP addresses and policy match would take a decision to permit or deny the traffic.
If you use CNAME in the policy; but the destination IP on the packet is A record which say resolves to different IP than CNAME then the firewall policy would deny the traffic.
Let know if you need more details.
Thank you!