topic Windows DNS Server behind PA in General Topics

Windows DNS Server behind PA

killerkhan — Fri, 02 Aug 2013 14:29:20 GMT

Did a PA install last night, the client had a public facing DNS server. the DNS server had a public IP before we moved it behind PA to nat it. while it was outside firewall with public IP the DNS queries from internet worked fine without any issues. Once we moved it behind PA and gave it static one-to-one nat with proper security policies for dns tcp and udp port 53 then DNS queries from the internet stopped working. I did see traffic hitting the PA and passed to the internet server properly with proper natting but dns would not work. The server also had ftp and web server and those services worked fine from internet.

Had to move the server back outside the PA to continue service but need to know how to fix this before moving it behind PA again.

So quesiton is, what is PA doing differently with DNS? how can I publish Microsoft DNS server running on windows 2003 Server to the internet? I did proper nat and security policies for the IP and port traffic but no luck. Am I missing something? any help would be greatly appreciated. thanks,

farid

Re: Windows DNS Server behind PA

ericgearhart — Fri, 02 Aug 2013 14:41:16 GMT

Just saying "I did proper NAT and security policies" doesn't really help us honestly... do you have screenshots of your rules?

You could possibly try to build an app override for TCP port 53 and UDP port 53 and apply them to the security rule you built, just to rule out the App-ID engine being the problem.

Re: Windows DNS Server behind PA

killerkhan — Fri, 02 Aug 2013 15:08:57 GMT

unortunately I am not on site today to be able to take screen shots or get logs info. but just a general question, is there anything special or specific that needs to be done on PA devices to publish DNS servers?

Re: Windows DNS Server behind PA

ericgearhart — Fri, 02 Aug 2013 15:15:34 GMT

Not that I'm aware of honestly... if you allow the App-ID DNS inbound it should "just work" in theory.

Re: Windows DNS Server behind PA

killerkhan — Fri, 02 Aug 2013 15:17:26 GMT

so you suggest allowing App-ID DNS instead of service tcp/udp port 53 inbound?

Re: Windows DNS Server behind PA

EdwinD — Fri, 02 Aug 2013 18:14:26 GMT

For what it is worth, I have been running Microsoft DNS servers behind the Palo Alto firewall for quite some time. These are in my DMZ, exposed to the Internet, and allow resolution of a few of our DNS zones. I'm currently running Microsoft server 2012 on these DNS servers.

The Palo Alto firewall rule is nothing special. It is your typical rule to allow incoming traffic, and allows UDP port 53 as a service. I have application set to any.

I have manually configured bi-directional NAT so that inbound and outbound traffic all originates from and terminates to the same public IP address.

One thing that got me when I first setup this up was I forgot to go into the Windows server firewall rules and allow DNS from networks other than the one the server was on.

Re: Windows DNS Server behind PA

ericgearhart — Fri, 02 Aug 2013 19:06:59 GMT

App-ID DNS and "application default" for the service should let DNS in... at least I've not seen PA mis-identify DNS traffic in the past for me.

Re: Windows DNS Server behind PA

killerkhan — Fri, 02 Aug 2013 19:35:37 GMT

just came across this... http://support.microsoft.com/kb/828263

I wonder if this was causing the problems. will try it in next maintenance window

Re: Windows DNS Server behind PA

paloalto_exn — Sun, 23 Nov 2014 17:24:41 GMT

Hi KillerKhan,

did you fix your issue? I am facing your same problem with an infoblox device I need to publish behind a PAVM via PAT on dns53UDP.

Despite I did the right rule, no dns traffic is redirected to the PAN interface...

thx

walter doria

Re: Windows DNS Server behind PA

cpainchaud — Mon, 24 Nov 2014 10:12:53 GMT

Hi,

You should have no problem, you probably misconfigured a NAT rule or the associated Security rule.

You should try not to use a Bi-direction NAT but 2 NAT rules and double check your Security rule (remember the trick for destination NATs).

Re: Windows DNS Server behind PA

jkim2 — Mon, 01 Dec 2014 17:01:33 GMT

probably not but if you want the traffic logs will show bytes sent / recv sizes.

more than likely a nat misconfiguration.