Can the internal DNS server be behind SPN not a CAN?

NikolayDimitrov — Thu, 08 Jul 2021 06:09:12 GMT

Can the internal global or specific internal DNS servers for mobile users or remote networks be behind SPN and not a CAN as the CAN is just there for routing for mobile users without a real active ipsec tunnel?

Basically I mean the internal DNS servers to be in the remote network address space that is connected to the SPN, because the SPN provides policy check and ssl decryption as the Data Center firewalls is old layer3/4 with no ssl decryption, better use SPN than a CAN.

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-users/quick-configs-for-user-deployments/dns-resolution-for-mobile-users-and-remote-networks

Re: Can the internal DNS server be behind SPN not a CAN?

NikolayDimitrov — Thu, 05 Aug 2021 10:08:28 GMT

I think that also Authentication servers like LDAP and other services can be behind an security processing node if the Data Center does not have a good firewall (this is why service node seems a bad idea). As the Prisma Access is full mesh iBGP I will consider this the case as every source may connect to every destination (only for mobile gateways a CAN even if it is without active ipsec tunnels is needed for routing) till someone says that this is not possible.

Edit:

Palo Alto confirmed that this is the case.

topic Re: Can the internal DNS server be behind SPN not a CAN? in Prisma Access Discussions

Can the internal DNS server be behind SPN not a CAN?

Re: Can the internal DNS server be behind SPN not a CAN?