topic Re: DNS proxy rule in General Topics

DNS proxy rule

SThatipelly — Sat, 13 Apr 2019 12:23:46 GMT

I have a DMZ zone for guest wireless users on Palo Alto. They use our internal server 192.168.10.10 for DNS. I am trying to configure the firewall to force them use 8.8.8.8 for a specific domain eg:*.amazon.com
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.8
Please help in configuring this.

Re: DNS proxy rule

Remo — Sat, 13 Apr 2019 16:25:46 GMT

@SThatipelly wrote:
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work

Yes, this will work with the DNS proxy feature of Paloalto.

@SThatipelly wrote:
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.

For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 8.8.8.8.

Re: DNS proxy rule

Remo — Sat, 13 Apr 2019 18:11:21 GMT

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-dns-proxy/dns-proxy-overview

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-dns-proxy/dns-proxy-settings.html

Re: DNS proxy rule

SThatipelly — Sun, 14 Apr 2019 01:34:00 GMT

@Remo can I do it without having the clients point to firewall interface as DNS server?

Re: DNS proxy rule

SThatipelly — Sun, 14 Apr 2019 05:28:11 GMT

@Remo Also, I'd like to have the endpoints reaching out to the DNS servers but not the firewall. This is because our NAC device evaluates the guest login action based on their DNS and if Firewall proxies it, NAC device will not see the actual endpoint.

I can think of a solution where I can put the following DNS proxy rules so the client goes to them directly:

Rule 1: *.amazon.com-8.8.8.8(DNS server)

Rule 2: * -192.168.x.x(DNS server)

will my 2nd rule catch all the DNS queries and forward it to 192.168.x.x DNS server?

Re: DNS proxy rule

Remo — Sun, 14 Apr 2019 08:21:12 GMT

@SThatipelly

Unfortinately in your case, the DNS proxy is not a transparent proxy. So in your situation you have to configure the forwarding on your internal DNS server.