https://live.paloaltonetworks.com/t5/general-topics/external-dns-resolution-for-specific-domains/m-p/488139#M104784 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am trying to look for a solution to an issue we have whereas we don't want to add routes from Azure (via ExpressRoute) to an on premise for public IP's for which Azure devices need to connect to via a Palo Alto firewall and across a VPN to a 3rd party.</P><P>&nbsp;</P><P>At the moment we have configured an FQDN NAT on our Palo Alto firewalls (where the connection routes through) and currently our internal DNS is learning the name resolution externally so the connection kind of works for now but we need to add DNS zones and entries for where we are trying to connect to which will map the fqdn to the NAT address. Which will break connection.</P><P>&nbsp;</P><P>I have had a look at DNS proxy and I don't think that will work as we don't want to configure the Azure hosts with the firewall IP address for DNS as that will break other things.</P><P>&nbsp;</P><P>I suspect we are going to have to bite the bullet and allow the routing across from Azure unless there is a means of making external DNS work for this specific traffic.</P> Wed, 18 May 2022 09:23:37 GMT StuartS 2022-05-18T09:23:37Z https://live.paloaltonetworks.com/t5/general-topics/external-dns-resolution-for-specific-domains/m-p/488139#M104784 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am trying to look for a solution to an issue we have whereas we don't want to add routes from Azure (via ExpressRoute) to an on premise for public IP's for which Azure devices need to connect to via a Palo Alto firewall and across a VPN to a 3rd party.</P><P>&nbsp;</P><P>At the moment we have configured an FQDN NAT on our Palo Alto firewalls (where the connection routes through) and currently our internal DNS is learning the name resolution externally so the connection kind of works for now but we need to add DNS zones and entries for where we are trying to connect to which will map the fqdn to the NAT address. Which will break connection.</P><P>&nbsp;</P><P>I have had a look at DNS proxy and I don't think that will work as we don't want to configure the Azure hosts with the firewall IP address for DNS as that will break other things.</P><P>&nbsp;</P><P>I suspect we are going to have to bite the bullet and allow the routing across from Azure unless there is a means of making external DNS work for this specific traffic.</P> Wed, 18 May 2022 09:23:37 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dns-resolution-for-specific-domains/m-p/488139#M104784 StuartS 2022-05-18T09:23:37Z https://live.paloaltonetworks.com/t5/general-topics/external-dns-resolution-for-specific-domains/m-p/507800#M105769 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144955">@StuartS</a>&nbsp;</P> <P>If you only add the entries you need to your internal DNS, why or which connections will be broken by this?&nbsp;</P> <P>If you only need a few entries, then NAT seems to me like a good solution - if everything is passing your firewall, then I think you don't even need to mess with static DNS entries for this.</P> <P>... or I don't understand your issue correctly <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Sun, 03 Jul 2022 16:53:28 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dns-resolution-for-specific-domains/m-p/507800#M105769 Remo 2022-07-03T16:53:28Z