Juniper SRX mucking with DNS

I was getting some strange DNS answers on the servers in a trust zone on my SRX. All the servers are statically NAT’d to external IP’s and run their own caching resolvers but when I tried to query for the servers A RR I kept getting the internal IP address. No name server either internal or external was serving that A RR. Eventually I realised that it was the SRX changing the answer section of the DNS response. I don’t know if it is on by default, or if I switched it on by mistake but it was the DNS Application Layer Gateway (ALG) trying to help by making use of what it knew about the static NATs. Switching DNS ALG off solved the issue. For a detailed description of what the ALG does see the Junos OS Security Configuration Guide.

Spread the word. Share this post!


  1. Luqman

    Hi, really thanks for your post

    i’m searching everywhere about dns server resolving local ip instead of public ip address behind firewall junos.

  2. Neikius

    Thank you for this! Took me quite a while to figure this out and it was really nasty time for me. Local ip’s comming out of the public part made everything break down real hard and the mention of this “feature” is quite obscure…

  3. Had the same problem. set security alg dns diable

    solved the problem. Thank you very much for your post! I would never have guess it was the srx.

  4. John

    Thanks a lot. I was running a VM environment with a vSRX between “outside” and “DMZ”. From an outside host I was getting the internal IP addresses from the DNS server at the DMZ (while these internal IP’s weren’t in the zone file). I thought I was going crazy, but it was the ALG that is crazy by default : )

Comments are closed.