topic Different DNS Servers in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/different-dns-servers/m-p/1230053#M5929 <P>Hello,</P> <P>We have a lot of servers in production (PRD) and development (DVE) domain.</P> <P>Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domain and hence uses&nbsp;internal PRD-DNS-Server to resolve FQDN objects.</P> <P>&nbsp;</P> <P>Now what happens is that intermittently, our DVE servers are unable to reach certain internet URLs. We found that, even though we have a policy on our firewall with fqdn object for that domain, at certain instances, the IP resolved by&nbsp;PRD-DNS-Server and DVE-DNS-Server are different and hence the firewall blocks the connection.</P> <P>I have tried adjusting the FQDN refresh time on PA Firewall but it does not help because it depends on what IP is getting resolved at the instance of the issue.</P> <P>&nbsp;</P> <P>Any idea on how to get around this problem? If I use&nbsp;internal DVE-DNS-Server to resolve firewall objects then the production servers will have issues accessing the URLs.</P> Mon, 26 May 2025 06:07:43 GMT PAFWNoob 2025-05-26T06:07:43Z Different DNS Servers https://live.paloaltonetworks.com/t5/next-generation-firewall/different-dns-servers/m-p/1230053#M5929 <P>Hello,</P> <P>We have a lot of servers in production (PRD) and development (DVE) domain.</P> <P>Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domain and hence uses&nbsp;internal PRD-DNS-Server to resolve FQDN objects.</P> <P>&nbsp;</P> <P>Now what happens is that intermittently, our DVE servers are unable to reach certain internet URLs. We found that, even though we have a policy on our firewall with fqdn object for that domain, at certain instances, the IP resolved by&nbsp;PRD-DNS-Server and DVE-DNS-Server are different and hence the firewall blocks the connection.</P> <P>I have tried adjusting the FQDN refresh time on PA Firewall but it does not help because it depends on what IP is getting resolved at the instance of the issue.</P> <P>&nbsp;</P> <P>Any idea on how to get around this problem? If I use&nbsp;internal DVE-DNS-Server to resolve firewall objects then the production servers will have issues accessing the URLs.</P> Mon, 26 May 2025 06:07:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/different-dns-servers/m-p/1230053#M5929 PAFWNoob 2025-05-26T06:07:43Z Re: Different DNS Servers https://live.paloaltonetworks.com/t5/next-generation-firewall/different-dns-servers/m-p/1230087#M5935 <P>Set up DNS Proxy on Palo.</P> <P>Add Palo DNS Proxy IP into Domain Controller Forwarder field in DNS setting (or DNAT outgoing port 53 traffic to DNS Proxy IP in Palo).</P> <P>This forces both domains to use Palo to resolve IPs and Palo will cache correct IP.</P> Mon, 26 May 2025 12:57:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/different-dns-servers/m-p/1230087#M5935 Raido_Rattameister 2025-05-26T12:57:12Z