Here is the Juniper flavour of the FQDN access-list. The policy used references the dns-name and creates policy destination addresses accordingly. It is important, as noted in the optimisation and initial ASA FQDN configuration post, that you have a set level of expectation. DNS timers are important.
First off we need to create an address book entry for the untrust zone then apply that to the destination of a permitted any any policy.
set security zones security-zone ZONE-UNTRUST address-book address ADD-maps.google.com dns-name maps.google.com ipv4-only set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match source-address any set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match destination-address ADD-maps.google.com set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match application any set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE then permit
This configuration is just as easy as the ASA in a previous post. Now define the dns server name.
set system name-server 192.168.1.10
When you expand the policy look at the destination addresses.
SRX110#> show security policies policy-name PERMIT-GOOGLE detail Policy: PERMIT-GOOGLE, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: ZONE-LAB, To zone: ZONE-UNTRUST Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: ADD-maps.google.com: 74.125.237.101/32 ADD-maps.google.com: 74.125.237.102/32 ADD-maps.google.com: 74.125.237.103/32 ADD-maps.google.com: 74.125.237.104/32 ADD-maps.google.com: 74.125.237.105/32 Application: any
As with the optimisation post it is important to investigate services you using and inspect their DNS TTL and other features. If your want web filtering then this is not for you. Juniper offer their UTM technology for this.