You need to provide internal DNS servers for internal resolution, and public servers for external resolution.
Configure the DNS proxy:
set dns proxyFIREWALL-A->
set dns proxy enableFIREWALL-A->
set interface wireless1 proxy dnsFIREWALL-A->
set dns server-select domain juniper.net primary-server 10.1.1.1FIREWALL-A->
set dns server-select domain * primary-server 220.127.116.11 secondary-server 18.104.22.168
You can use the DNS proxy functionality in ScreenOS to enable split DNS. Figure 6-2 shows a typical DNS proxy solution.
Figure 6-2 illustrates a traditional Small Office/Home Office (SOHO)environment. A firewall is deployed in the remote office, and an IPSec tunnel is built to headquarters. The administrators have deployed a "split tunneling" environment in which all traffic bound for corporate headquarters is sent to the IPSec tunnel, whereas external traffic is sent directly to the Internet Service Provider (ISP).
The need for "split DNS" arises for internal hosts that resolve to private addresses (that cannot be resolved publicly or that resolve to different addresses if they are using private DNS versus public DNS). When the DNS proxy is enabled on an interface, the firewall will act as the DNS resolver for the clients. You can use either static configuration on the client or DHCP to assign the firewall as the client DNS server.
Figure 6-2. A typical DNS proxy example
When a client needs to do a DNS ...