https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35076#M25760 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">If you are pinging directly from the firewall itself , as shown below, the firewall pings 8.8.8.8 via the management interface. The firewall uses the DNS servers configured under the management interface settings to resolve google.com to its IP address. </SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">&gt;ping host 8.8.8.8, </SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">&gt;ping host google.com</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">The PA device will need a layer3 interface with an IP address to act as the DNS proxy, and your users will point to this IP address as the DNS server.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">PLease refer to the below links that have an answer to your question.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/28716#28716">https://live.paloaltonetworks.com/message/28716#28716</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3522">https://live.paloaltonetworks.com/docs/DOC-3522</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/12588#12588">https://live.paloaltonetworks.com/message/12588#12588</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4633">https://live.paloaltonetworks.com/docs/DOC-4633</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Hope that helps!</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">BR,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Karthik <BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P></BODY></HTML> Mon, 16 Sep 2013 13:28:28 GMT kprakash 2013-09-16T13:28:28Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35075#M25759 <HTML><HEAD></HEAD><BODY><P>I have configured DNS Proxy on a PA200 with PANOS 4.1.9, with two interfaces enabled for DNS proxy service and two default public DNS as primary and secondary.</P><P>But on system monitor, on DNS Proxy object, I find: "Failed to resolve domain name: &lt;domain-name &gt; after trying all attempts to name server(s): 8.8.4.4&nbsp; 8.8.8.8 .</P><P>Which is the source IP address of the DNS request executed by DNS-Proxy ? Is this the problem or other ?</P><P>Thanks.</P></BODY></HTML> Mon, 16 Sep 2013 13:16:29 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35075#M25759 lauro7 2013-09-16T13:16:29Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35076#M25760 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">If you are pinging directly from the firewall itself , as shown below, the firewall pings 8.8.8.8 via the management interface. The firewall uses the DNS servers configured under the management interface settings to resolve google.com to its IP address. </SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">&gt;ping host 8.8.8.8, </SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">&gt;ping host google.com</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">The PA device will need a layer3 interface with an IP address to act as the DNS proxy, and your users will point to this IP address as the DNS server.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">PLease refer to the below links that have an answer to your question.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/28716#28716">https://live.paloaltonetworks.com/message/28716#28716</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3522">https://live.paloaltonetworks.com/docs/DOC-3522</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/12588#12588">https://live.paloaltonetworks.com/message/12588#12588</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4633">https://live.paloaltonetworks.com/docs/DOC-4633</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Hope that helps!</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">BR,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Karthik <BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P></BODY></HTML> Mon, 16 Sep 2013 13:28:28 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35076#M25760 kprakash 2013-09-16T13:28:28Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35077#M25761 <HTML><HEAD></HEAD><BODY><P>Thank you for your help, but my question is different. I tried by logging policies rules and I find that it's need to permit, in the security policies, the traffic from the IP addresses of the interfaces, on which I have enabled DNS proxy, destinated to the public DNS configured in the DNS proxy form. Then DNS proxy is correctly enabled and solve all requests received from the users. Without this security policy rule the appliance was not able to redirect DNS queries to public DNS.</P><P>Best Regards.</P><P></P><P>LA</P></BODY></HTML> Mon, 16 Sep 2013 14:06:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35077#M25761 lauro7 2013-09-16T14:06:48Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35078#M25762 <HTML><HEAD></HEAD><BODY><P>I am assuming that you have a clean up rule configured, which lies on the end of the security rules list. If so, we certainly need this rule, because the PANFW has to communicate to the DNS servers via the interfaces configured ( and this communication is via the data-plane and is not considered host inbound or host outbound traffic ).</P></BODY></HTML> Mon, 16 Sep 2013 15:06:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy/m-p/35078#M25762 kprakash 2013-09-16T15:06:48Z