topic Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service) in General Topics

Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

kalyanram.piratla — Tue, 08 May 2012 13:40:42 GMT

Hi Guys,

What support does the Palo Alto Firewall offer in terms of forwarding on mDNS (multicast DNS, more specifically Apples Bonjour Service)?

I have a customer where they have the student and staff wireless network on a seperate VLAN, with the Palo Alto Captive Portal as the only route out. Will it require to add a "hardened" apple server to the same network or will the Palo Alto allow to pass the requests through?

With more iPads wanting to be hooked up to Apple TV or Printing from iPads, I would welcome any potential input or any document you could offer.

Secondly, is there any document on how to configure the DNS proxy available?

Many Thanks,

Kind Regards,

Kalyan

Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

mikand — Tue, 08 May 2012 13:51:53 GMT

A workaround could be to setup your dhcp server to instruct your wifi clients to use particular dnsservers instead of this mDNS mumbojumbo.

If you dont have your own resolvers you could use googles at 8.8.8.8 and 8.8.4.4 or some of the public ones provided by opendns.

Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

kalyanram.piratla — Tue, 08 May 2012 14:49:58 GMT

I am sorry; could not understand that in terms of configuration. I assume when you mean DHCP server, it is the DHCP server on the Palo Alto.

The issue is; can Palo Alto work as the DNS Server (my experience says NO, but if there was any other way)? because in this case, i am trying to have the Palo as the DNS server.

Hope you understand by what I meant...

Cheers..

Kal

Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

mikand — Tue, 08 May 2012 20:53:23 GMT

When the client requests dhcp information some dhcp server on your network will reply (if you use dhcp unless you use static addressing).

I dont know if you run your PA as dhcp server or if you have a dedicated box for this task. Either way you can configure the dhcp server to not only tell the client which ip address to use, which netmask to use and which default gateway to use - but also which dns1 and dns2 the client should use.

If you dont have your own dns-resolvers on a DMZ or such you can use public dns-servers. Two available (from Google) is one with ip address 8.8.8.8 and one with ip 8.8.4.4 (given that your clients are allowed to reach Internet).

This way you dont need to allow mDNS through your PA device (unless I completely misunderstood your case?).

Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

kalyanram.piratla — Wed, 09 May 2012 09:55:35 GMT

In this case; the DNS resolvers should be the Palo Alto Firewall. Hence I was thinking of having the mDNS to be allowed by Palo Alto. Makes any sense..??

Re: Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

mharding — Wed, 13 Feb 2013 13:56:36 GMT

DNS and mDNS shouldn't be confused. mDNS is a broadcast on that VLAN to specific UDP ports. The broadcast advertises what the client can do; like Screen Sharing or AirPlay. What you're looking for is a Bonjour Gateway.

If you have all your VLANs running through the Palo Alto, you could try creating a multicast rule between the VLANs/Zones with these UDP ports being allowed: 554,54780,62572,5353,5298,5297