https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49208#M36242 <HTML><HEAD></HEAD><BODY><P>I'm looking on how to configure DNS proxy on PAN and found below link that provide great information.</P><P></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="3637" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-3637">https://live.paloaltonetworks.com/docs/DOC-3637</A></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="3522" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-3522">https://live.paloaltonetworks.com/docs/DOC-3522</A></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="4633" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-4633">https://live.paloaltonetworks.com/docs/DOC-4633</A></P><P></P><P>However, it does not cover the design that I want for DNS resolution and protect our internal DNS servers.</P><P></P><P>- I would like to check if anyone has done configuring their internal DNS server to use PAN (DNS Proxy configuration) as a DNS forwarder to resolved all external DNS??</P><P>&nbsp;&nbsp;&nbsp; - PAN DNS Proxy will have entry for public DNS server coming from our local ISP server provider at the same time PAN firewall is configured to forward DNS resolution bound for our local domain resolution</P><P></P><P>- Using the above setup, I can protect my internal DNS since all external DNS resolution will be coming from PAN Firewall.</P><P></P><P>Any information or ideas are highly appreciated</P><P></P><P>Cheers,</P><P>Erwin</P></BODY></HTML> Tue, 15 Jul 2014 04:03:32 GMT ErwinBuena 2014-07-15T04:03:32Z https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49208#M36242 <HTML><HEAD></HEAD><BODY><P>I'm looking on how to configure DNS proxy on PAN and found below link that provide great information.</P><P></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="3637" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-3637">https://live.paloaltonetworks.com/docs/DOC-3637</A></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="3522" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-3522">https://live.paloaltonetworks.com/docs/DOC-3522</A></P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="4633" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-4633">https://live.paloaltonetworks.com/docs/DOC-4633</A></P><P></P><P>However, it does not cover the design that I want for DNS resolution and protect our internal DNS servers.</P><P></P><P>- I would like to check if anyone has done configuring their internal DNS server to use PAN (DNS Proxy configuration) as a DNS forwarder to resolved all external DNS??</P><P>&nbsp;&nbsp;&nbsp; - PAN DNS Proxy will have entry for public DNS server coming from our local ISP server provider at the same time PAN firewall is configured to forward DNS resolution bound for our local domain resolution</P><P></P><P>- Using the above setup, I can protect my internal DNS since all external DNS resolution will be coming from PAN Firewall.</P><P></P><P>Any information or ideas are highly appreciated</P><P></P><P>Cheers,</P><P>Erwin</P></BODY></HTML> Tue, 15 Jul 2014 04:03:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49208#M36242 ErwinBuena 2014-07-15T04:03:32Z https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49209#M36243 <HTML><HEAD></HEAD><BODY><P><SPAN class="GINGER_SOFTWARE_mark">Few</SPAN> related discussions for your reference:</P><P></P><P>DNS Proxy -- <A _jive_internal="true" href="https://live.paloaltonetworks.com/thread/8699">https://live.paloaltonetworks.com/thread/8699</A></P><P>DNS Proxy -- <A _jive_internal="true" href="https://live.paloaltonetworks.com/thread/6767">https://live.paloaltonetworks.com/thread/6767</A></P><P><A href="https://live.paloaltonetworks.com/message/36564">DNS proxy</A></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks</SPAN></P></BODY></HTML> Tue, 15 Jul 2014 06:10:48 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49209#M36243 HULK 2014-07-15T06:10:48Z https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49210#M36244 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk for the feedback</P></BODY></HTML> Tue, 15 Jul 2014 09:03:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49210#M36244 ErwinBuena 2014-07-15T09:03:55Z https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49211#M36245 <HTML><HEAD></HEAD><BODY><P>You can configure your DHCP to tell your clients to have the internal interface of the firewall as their DNS. Then use DNS Proxy to handle the DNS resolution. You can also deploy a security policy to Deny all dns requests going to the outside (from anyone except the firewall), and only let users resolve DNS if they use your firewall's trust interface.</P></BODY></HTML> Tue, 15 Jul 2014 22:47:24 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49211#M36245 mivaldi 2014-07-15T22:47:24Z https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49212#M36246 <HTML><HEAD></HEAD><BODY><P><BR />Hi Mivaldi,</P><P></P><P>Thanks for the information. Deploying the PAN internal Interface as the DNS for all DHCP client will not scale out and it's adds up additional time for DNS resolution for internal networks.</P><P></P><P>Reading all the discussion about DNS forwarding in this forum provide me great information including the one that you mention.</P><P>1. I've decided to configure our internal DNS server to have a DNS forwarder point to PAN Internal Network for Internet (external) DNS Resolution and query data to our ISP Public DNS.</P><P>2. External DNS will only communicating for all DNS resolution via PAN DNS Proxy.</P><P></P><P>Cheers,</P><P>Erwin</P></BODY></HTML> Tue, 15 Jul 2014 23:14:23 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-as-a-dns-forwarder-to-resolve-external-dns-names/m-p/49212#M36246 ErwinBuena 2014-07-15T23:14:23Z