topic Re: DNS not resolving for a website in Next-Generation Firewall Discussions

DNS not resolving for a website

Jerome.j — Thu, 04 Jan 2024 07:53:04 GMT

Hi All,

I have been experiencing DNS resolution issue for one particular website on all the systems under our Palo Alto firewall network. However, it is working well on the systems under our Sophos network.

At first, I checked the website category and found it falls under malware and gave an exception to it to be accessed on our network in the URL filtering, but no luck. Then, removed all the security profiles for the security rule that I am in and it didn't work either. In the meantime, I couldn't see any log in the traffic monitor. Then, I noticed the browser throwing this error "DNS_PROBE_FINISHED_NXDOMAIN"

It doesn't make sense, as it worked well on other systems that run through Sophos but not with any of the systems with Palo Alto.

Please help me with this and let me know if I am missing something.

Thanks,

Jerome

Re: DNS not resolving for a website

Adrian_Jensen — Thu, 04 Jan 2024 17:34:02 GMT

That error means that the browser can not resolve an IP address for the name given... so the DNS is not working. If you do a nslookup for the name on a command line, what do you get? I am guess it is a "Non-existant domain" error. Does this extend to other internet names as well?

It sounds like you have DNS filtering in place somewhere that is blocking/filtering DNS responses (you can sinkhole DNS on the PaloAlto, but normally that returns an IP that directs to a blocked page or gets dropped, not return a not-resolved DNS error).

Re: DNS not resolving for a website

Jerome.j — Fri, 05 Jan 2024 12:24:22 GMT

Hi Adrian,

I didn't configure any DNS filtering in the firewall. Other names are getting resolved without issues.

Then, I added a forward lookup zone for the website in our DNS server and added a host pointing to the site's public address. It worked fine and I let it be.

Do I need to check anything on the firewall to access the website without that DNS host in the DNS server?

Thanks,

Jerome

Re: DNS not resolving for a website

MP18 — Fri, 05 Jan 2024 17:52:48 GMT

@Jerome.j I did request for site recategorize

URL: https://rentpro.rpa5.com
Categories: Real-Estate
Risk Level: Low-Risk

Hope this helps you now

Regards

Re: DNS not resolving for a website

MP18 — Fri, 05 Jan 2024 17:58:13 GMT

@Jerome.j Also I have no issues while accessing this website

Re: DNS not resolving for a website

Adrian_Jensen — Fri, 05 Jan 2024 18:19:17 GMT

Since you added a forward zone/resolution on your internal DNS server and it works, it sounds like your DNS server couldn't previously resolve that domain. Does your DNS server just forward requests to Google 8.8.8.8/etc. or does it actually work as a full recursive DNS server querying the SOA of the domain?

I suspect the later, in which case your DNS server was probably trying to resolve the domain from the SOA but couldn't connect. That sounds like the PaloAlto was blocking the DNS server's requests out to the internet, not the end user's browser. I.e. your client browser is trying to go to "blog.example.com" so the following happens:

1) The user types "blog.example.com" into the browser.

2) The client machine sends a DNS lookup request for the FQDN to your DNS server. (client -> dns:53)

3) The DNS server queries the root DNS servers and finds that the "example.com" SOA points to "ns.malware.test" (dns -> rootserver:53)

4) The DNS server then tries to query "ns.malware.test" for the FQDN "blog.example.com" but is blocked by the PaloAlto do to the destination. (dns -X-> ns.malware.test:53)

5) The DNS server is unable to resolve the domain so it sends a NXDOMAIN back to the client. (dns:53 -> client)

6) The browser display a DNS_PROBE_FINISHED_NXDOMAIN error to the user.

By putting a local forward zone into the DNS server, you have short-circuited steps #3-4 so the DNS server immediately returns the configured IP to the client in step #5 and the browser connects to that IP in step #6.

It is hard to guess at other people's PA configurations, but I would start looking in you logs for outbound connections from your DNS server to port 53 on internet hosts that may have been blocked (i.e. destination IP is in a blacklist, malicious IP EDL, country/region block, etc.). You can also use any one of many online tools to lookup the SOA of the domain you are having issues with, such as:

https://mxtoolbox.com/SOALookup.aspx

Once you know the SOA address, you can test whether connections from the DNS server to the SOA destination address it would be blocked by your filter rules: Policies -> Security -> Test Policy Match

Re: DNS not resolving for a website

Jerome.j — Sat, 06 Jan 2024 08:52:29 GMT

Thank you @MP18. This is a much-needed one for me..

Re: DNS not resolving for a website

Jerome.j — Tue, 09 Jan 2024 05:48:43 GMT

It is working fine for me now. Thanks @MP18

Re: DNS not resolving for a website

Jerome.j — Tue, 09 Jan 2024 05:52:16 GMT

Thanks @Adrian_Jensen I now get how it works and able to find out where it stuck.

Re: DNS not resolving for a website

MP18 — Tue, 09 Jan 2024 15:06:48 GMT

@Jerome.j Thanks for letting us know.