You're dropping all outside udp return traffic to y.y.y.1 - unless that host uses an entirely different address for its recursion.
On Sunday, May 29, 2016, <cle...@s4networks.com.br> wrote: > dear good night, > > how to configure DNS recursive filter in my MX5 Juniper? > > IP DNS: Y.Y.Y.1 > authorized network: 10.0.0.0/8 > > below is configuration, but does not work. > > > set firewall family inet filter FILTER-DNS term 1 from source-address > 10.0.0.0/8 > set firewall family inet filter FILTER-DNS term 1 from destination-address > Y.Y.Y.1 > set firewall family inet filter FILTER-DNS term 1 from destination-port 53 > set firewall family inet filter FILTER-DNS term 1 from protocol udp > set firewall family inet filter FILTER-DNS term 1 from protocol tcp > set firewall family inet filter FILTER-DNS term 1 then accept > > set firewall family inet filter FILTER-DNS term 10 from tcp-established > set firewall family inet filter FILTER-DNS term 10 from > destination-address Y.Y.Y.1 > set firewall family inet filter FILTER-DNS term 10 then accept > > set firewall family inet filter FILTER-DNS term 40 from > destination-address Y.Y.Y.1 > set firewall family inet filter FILTER-DNS term 40 then discard > > set firewall family inet filter FILTRO-DNS term 50 then accept > > by google translator. > > thank you for attention. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp