https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/193952#M58084 <P>I'm assuming your loopback interface is actually in the trust zone?</P> <P>&nbsp;</P> <P>Have you tried setting the DNS proxy to use the upstream DNS servers your ISP provides, as they may provide better service than the google ones.</P> <P>203.40.0.0/13 appears to be located in Australia, so you may benefit from using DNS closer to your office to prevent running into peering issues</P> Fri, 05 Jan 2018 09:12:24 GMT reaper 2018-01-05T09:12:24Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/193940#M58083 <P>Hello,</P><P>&nbsp;</P><DIV>We are currently getting resolve-fail events for DNS.&nbsp;</DIV><DIV>Failed to resolve domain name: after trying all attempts to name server(s): 8.8.8.8 8.8.4.4</DIV><DIV>DNS server is in loopback.2 Interface/Untrust/IP:203.44.x.x</DIV><DIV>&nbsp;</DIV><DIV>Below are some pics of DNS proxy settings, session details. Can someone please shed some light what are we missing?</DIV><DIV>&nbsp;</DIV><DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sessiondetails.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13138i6D8AFFF952D450A6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="sessiondetails.jpg" alt="sessiondetails.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS Proxy.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13139i0D13FDFF3E17C8E6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DNS Proxy.jpg" alt="DNS Proxy.jpg" /></span></DIV><DIV>&nbsp;</DIV> Fri, 05 Jan 2018 04:52:06 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/193940#M58083 Farzana 2018-01-05T04:52:06Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/193952#M58084 <P>I'm assuming your loopback interface is actually in the trust zone?</P> <P>&nbsp;</P> <P>Have you tried setting the DNS proxy to use the upstream DNS servers your ISP provides, as they may provide better service than the google ones.</P> <P>203.40.0.0/13 appears to be located in Australia, so you may benefit from using DNS closer to your office to prevent running into peering issues</P> Fri, 05 Jan 2018 09:12:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/193952#M58084 reaper 2018-01-05T09:12:24Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/194223#M58133 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;thank you for your response!</P><P>&nbsp;</P><P>Actually loopback is in the untrust zone. I have checked the admin guide and it does not specify that Interface needs to be in the trust zone.&nbsp;</P><P>Can you please clarify?</P> Mon, 08 Jan 2018 00:41:16 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/194223#M58133 Farzana 2018-01-08T00:41:16Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/194261#M58138 <P>The log you attached shows the source to be an internal IP in the trust zone going out to untrust 8.8.4.4</P> <P>&nbsp;</P> <P>So if your dns proxy is on a loopback in the untrust zone, the log you attached does not match your dns proxy</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Did you configure your clients to use the IP of your DNS proxy interface as their DNS server ? For the proxy to work, the clients need to use "the firewall" as their preferred dns server (or the internal DNS needs to use the firewall as it's upstream server)</P> Mon, 08 Jan 2018 09:12:03 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-not-working/m-p/194261#M58138 reaper 2018-01-08T09:12:03Z