topic Re: DNS proxy not responding to requests in General Topics

DNS proxy not responding to requests

BumblingFixer — Tue, 13 Jun 2023 04:37:05 GMT

Hi All,

I cannot seem to get DNS proxy working on a PAN-440 box for a simple network topology. Hosts on .20.0/24 subnet cannot resolve DNS using the proxy either from external or domain. I logged denied DNS requests to external DNS from ethernet 1/8's ip so created a rule to allow. Opening up the security policy a bit, the .20.0 hosts can resolve from external DNS directly, showing static routes are ok etc.

Used 'test dns-proxy query' and 'show dns-proxy cache all' with ethernet 1/8 and no entries logged (mgmt-obj using service routes had no problem). Weirdly enough, I got cached DNS entries ok when querying dns proxy using the external interface 1/1.

Anything I have overlooked? Thanks for your help.

Re: DNS proxy not responding to requests

BPry — Tue, 13 Jun 2023 14:00:32 GMT

@BumblingFixer,

If you have your internal clients setup to utilize the dns-proxy properly you shouldn't need to allow your clients access to internal DNS servers, which appears to be what you're doing from a brief glance at your configuration. The firewall will handle forwarding when required, the clients don't need access to those external providers.

It seems like your clients aren't actually configured to utilize the dns-proxy configured interface IPs based off of what you're reporting. I'd double check that your clients are actually sending DNS requests to the interfaces you have dns-proxy enabled on, and that DNS isn't setup to still resolve to the external providers.

Re: DNS proxy not responding to requests

BumblingFixer — Sun, 06 Aug 2023 22:02:35 GMT

I don't think you read all the details. Using 'test dns-proxy query' on the CLI also failed, proving any client DNS misconfig is not the issue.

I went back to this and did some digging into dnsproxyd on a different deployment and found after the DNSproxy receives the DNS request on configured listening interfaces, it will send out DNS request to the correct IP according to its rules, however sends it on the interface it received the original DNS request on. It will ignore the DNS service interface/destination routes, as well as route tables. Unless there is a hidden setting not mentioned in the admin guides, looks like a bug to me.

This issue may not be encountered in larger deployments with multiple vsys, with the use of DNS profiles: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/dns/dns-server-profile