https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26075#M19026 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am having troubles configuring dns service route for DNS.</P><P></P><P>DNS servers are behind tagged internal interface of PA-2050 device.</P><P></P><P>I was able to configure that for syslog and it sends all the traffic PA outbound to the server.</P><P></P><P>I was trying to do the same with DNS, but when I do, PA stops sending queries either through management interface or through the interface the routing to dns servers is.</P><P></P><P>I'm not using dnsproxy.</P><P></P><P>Is this enough information for any help ?</P><P>Any options, what should I try ?</P><P></P><P>Best regards,</P><P>Pawel</P></BODY></HTML> Tue, 24 Sep 2013 01:41:08 GMT pawel_stankiewicz 2013-09-24T01:41:08Z https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26075#M19026 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am having troubles configuring dns service route for DNS.</P><P></P><P>DNS servers are behind tagged internal interface of PA-2050 device.</P><P></P><P>I was able to configure that for syslog and it sends all the traffic PA outbound to the server.</P><P></P><P>I was trying to do the same with DNS, but when I do, PA stops sending queries either through management interface or through the interface the routing to dns servers is.</P><P></P><P>I'm not using dnsproxy.</P><P></P><P>Is this enough information for any help ?</P><P>Any options, what should I try ?</P><P></P><P>Best regards,</P><P>Pawel</P></BODY></HTML> Tue, 24 Sep 2013 01:41:08 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26075#M19026 pawel_stankiewicz 2013-09-24T01:41:08Z https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26076#M19027 <HTML><HEAD></HEAD><BODY><P>Hello Pawel,</P><P></P><P>Are you able to ping the DNS servers from the Palo Alto firewall?</P><P></P><P>So, if you are using an interface other than the management interface (example Ethernet1/2), are you able to ping from Ethernet1/2's ip address to the DNS server? OR, if you are using default configuration (i.e management interface), can you ping from the management interface to the DNS servers?</P><P></P><P>Also, the DNS servers configured under Device&gt; Setup &gt; Services - are those internal or external?</P><P></P><P></P><P>Regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 24 Sep 2013 13:40:20 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26076#M19027 kadak 2013-09-24T13:40:20Z https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26077#M19028 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you see any thing in the traffic logs or threat logs regarding DNS traffic on the PAN being dropped ? </P><P></P><P>Thanks,</P><P></P><P>Syed R Hasnain</P></BODY></HTML> Tue, 24 Sep 2013 13:42:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26077#M19028 shasnain 2013-09-24T13:42:37Z https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26078#M19029 <HTML><HEAD></HEAD><BODY><P>Hello Pawel,</P><P></P><P>If you are configuring service routes for reaching to DNS server through any other interface other than management interface yes we do it as shown in below image.</P><P><IMG alt="dns-test.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8526_dns-test.PNG.png" style="width: 620px; height: 317px;" /></P><P>I have highlighted on left for DNS, we generally select another interface on PAN to pass traffic. In your case seems like this is not working neither the management interface.</P><P></P><P>Steps to ensure:</P><P>1&gt; Do source ping:</P><P>ping source &lt;New interface IP configured on service route&gt; host &lt;Dns server IP&gt;</P><P>If configured right it has to send out pings and we can see outcome. </P><P>2&gt; We can take packet captures on PAN for new interface configured for DNS traffic to pass through and instantly we can see data on the captures, if we do not see then PAN is not passing.</P><P>Based on the captures we may know that if the Dns server if received dns packets from PAN did it respond back or not.</P><P>3&gt; Also in the above image on the right you can select custom values as shown.</P><P>Indicate the DNS server IP in destination field and source address as the new interface IP address.</P><P></P><P>Hope these steps should narrow down the issue.</P><P>Thanks</P></BODY></HTML> Tue, 24 Sep 2013 15:12:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26078#M19029 Phoenix 2013-09-24T15:12:57Z https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26079#M19030 <HTML><HEAD></HEAD><BODY><P>Thank All for help,</P><P></P><P>Sorry for the late reply.</P><P>It turned out firewall itself blocked access to dns-es as there was no security rule for that.</P><P>In fact, this was not obvious as I put a rule for that but somehow it didn't work. I've just opened wide access from "all" zones to dnses and it started to work. Maybe that should be narrowed, but as I'm fighting with other pcularities it was no time to debug.</P><P></P><P>Thanks again,</P><P>Pawel</P></BODY></HTML> Thu, 28 Nov 2013 01:08:54 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-service-route-doesn-t-work/m-p/26079#M19030 pawel_stankiewicz 2013-11-28T01:08:54Z