topic Re: DNS Proxy - Can I use it to resolve all outbound in General Topics

DNS Proxy - Can I use it to resolve all outbound

bwaaso — Mon, 04 Apr 2011 17:40:21 GMT

Can I use the DNS Proxy to resolve all of my outbound DNS queries?

I would like to point my inside DNS servers to the Palo Alto firewall and then let the firewall resolve the DNS query.

Re: DNS Proxy - Can I use it to resolve all outbound

reaper — Tue, 05 Apr 2011 08:05:45 GMT

Yes you can

For this to work you would only need to create a new dns proxy, connect it to an interface and configure its primary and secondary upstream DNS servers. Then you would need to point your internal DNS server to the internal IP of the (L3) interface and make sure a security policy allows connection from the inside to the internal interface and from the external interface to the internet.

Take note it will require upstream DNS servers, the proxy can't do root lookups on its own

regards

Re: DNS Proxy - Can I use it to resolve all outbound

bwaaso — Tue, 05 Apr 2011 14:06:20 GMT

How do I allow the inside interface to accecpt DNS requests?

Re: DNS Proxy - Can I use it to resolve all outbound

reaper — Tue, 05 Apr 2011 15:57:20 GMT

firstly by enabling DNS proxy and secondly verifying your rulebase: in the default rulebase this will be automatically accepted, if you have a drop rule at the end of your rulebase for "any", this will be denied so you will need to create a rule that accepts dns queries to the firewall's interface IP

regards

Re: DNS Proxy - Can I use it to resolve all outbound

migration — Tue, 05 Apr 2011 18:01:04 GMT

So, are you saying that if I am using PA firewalls as my edge authoritative DNS server I couldn't point it to a list of root servers for external lookups for example? Is this done by design?

Re: DNS Proxy - Can I use it to resolve all outbound

reaper — Wed, 06 Apr 2011 10:16:39 GMT

the proxy dns was designed as a stub resolver so it is able to bend certain dns queries to an alternative dns server of your choice and have all the other dns entries handled by an upstream DNS server (recursor)

it will also not be able to handle as authoritative as we don't hold zones, we forward depending on the query

regards

Tom

Re: DNS Proxy - Can I use it to resolve all outbound

bdaussin — Fri, 09 Sep 2011 04:22:55 GMT

Hi,

we are trying to do exactly the same thing : we setup a DNS proxy which has to send all DNS requests to the Internet except those for our own domain ( let say mydomain.com ), but all DNS requests are sent to internet !!

The setup is the following in the PAN setup box :

- primary and secondary DNS are set to point to Internet DNS.

- We add a DNS rule : mydomain.com => our DNS.

Is there anything special to do for this feature to work as expected, syntax or whatever ? We are running PAN OS 4.0.4.

Thanks for you help.

Re: DNS Proxy - Can I use it to resolve all outbound

mharding — Wed, 14 Sep 2011 17:11:08 GMT

Could you do it the other way?

Have your clients point to the internal DNS server. Configure the DNS server to forwards all other requests to the PAN interface hosting the DHCP Proxy?

Re: DNS Proxy - Can I use it to resolve all outbound

bdaussin — Thu, 15 Sep 2011 04:22:13 GMT

Hi,

thanks for your proposal, but actualy, it's for DMZ servers. They have to request both internal and outside DNS servers. We don't have any DNS forwarding setup on our internal DNS.

PAN split DNS does not works

Re: DNS Proxy - Can I use it to resolve all outbound

mharding — Fri, 16 Sep 2011 18:44:25 GMT

It can work the way you want it to.I have quite a few DNS Proxy rules setup. In the rule I have

domainname.com

*.domainname.com

all forwarding to the Internal DNS servers. Everything else goes to an ISP DNS server.

I suggest you use CLI scripting if you have a bunch of internal domains to import.

Re: DNS Proxy - Can I use it to resolve all outbound

seniornwb — Tue, 27 Sep 2011 12:21:28 GMT

I am having the same issue, even though the local domain names have been setup and dns servers for these domains have been specified, all traffic that should have gone to the internal dns servers is sent to the internet dns servers instead. We are running pan-os 4.05. Static and internetaddresses are resolved correctly, but local addresses are not (non existent domain or internet values for A records, instead of local values)

Re: DNS Proxy - Can I use it to resolve all outbound

bdaussin — Tue, 27 Sep 2011 14:01:45 GMT

Sorry to say that, but i'm pleased to see we are not alone with this issue.

We'll open a case.

regards,

Re: DNS Proxy - Can I use it to resolve all outbound

seniornwb — Fri, 14 Oct 2011 12:30:47 GMT

Did you receive a reply from PA about the case yet ?

regards,

Hen