topic DNS rewrite in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-rewrite/m-p/511847#M275 <P>Hello,</P> <P>I am using DNS rewrite for a hosted service that we are connecting to, however, the global nature of this feature is causing me some problems now as we are connecting a network we do not manage to our firewall which causes routing to fail to the rewritten addresses.</P> <P>&nbsp;</P> <P>One of the solutions I am considering is creating a new vsys on the firewall and using this for the rewrite, my reasoning for doing it this way is so that all other DNS traffic that does not go to this new vsys will not have their DNS entries rewritten.</P> <P>&nbsp;</P> <P>However, I have a concern that moving the DNS rewrites to a separate vsys will not prevent DNS replies being rewritten in the old vsys ( due to the fact the documentation says the DNS rewrite occurs at the global level ). I understand that a separate vsys should for all intents and purposes run as a completely separate logical firewall but I am just a little concerned that this may be a scenario where it doesn't.</P> <P>&nbsp;</P> <P>Any help here would be greatly appreciated.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 15 Aug 2022 14:33:08 GMT MichaelWrigh 2022-08-15T14:33:08Z DNS rewrite https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-rewrite/m-p/511847#M275 <P>Hello,</P> <P>I am using DNS rewrite for a hosted service that we are connecting to, however, the global nature of this feature is causing me some problems now as we are connecting a network we do not manage to our firewall which causes routing to fail to the rewritten addresses.</P> <P>&nbsp;</P> <P>One of the solutions I am considering is creating a new vsys on the firewall and using this for the rewrite, my reasoning for doing it this way is so that all other DNS traffic that does not go to this new vsys will not have their DNS entries rewritten.</P> <P>&nbsp;</P> <P>However, I have a concern that moving the DNS rewrites to a separate vsys will not prevent DNS replies being rewritten in the old vsys ( due to the fact the documentation says the DNS rewrite occurs at the global level ). I understand that a separate vsys should for all intents and purposes run as a completely separate logical firewall but I am just a little concerned that this may be a scenario where it doesn't.</P> <P>&nbsp;</P> <P>Any help here would be greatly appreciated.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 15 Aug 2022 14:33:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-rewrite/m-p/511847#M275 MichaelWrigh 2022-08-15T14:33:08Z