https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286520#M76606 <P>run wireshark on PC check for DNS packet</P><P>&nbsp;</P><P>enabled packet capture on firewall to check DNS traffic.</P><P>&nbsp;</P><P>As mentioned check security policy between different zones.</P> Wed, 04 Sep 2019 11:32:05 GMT fatboy1607 2019-09-04T11:32:05Z https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286021#M76531 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>hoping someone could possibly shed some light on what I maybe missing in the configuration...Im going out of my mind looking at this as I just cant see it, ill try to keep it short....</P><P>&nbsp;</P><P>I recently replaced our offsite meeting room location Juniper SRX with a PA-220:</P><UL><LI>PPPoe Setup with VDSL modem</LI><LI>VPN tunnel back to main office&nbsp;</LI><LI>Meraki AP to provide CORP and Guest wifi (both networks broadcast from same AP)&nbsp;</LI><LI>Internet access pushed back to main office firewall and onto proxy server for filtering (will be removing proxy servers but not yet)</LI><LI>DHCP configured on Interface for CORP Wifi</LI></UL><P>The above setup worked without issues on the SRX - since moving across to the PA-220 I am having issues with DNS resolution:</P><P>&nbsp;</P><UL><LI>Able to perform NSLOOKUP to domain controller at main site and resolve</LI><LI>unable to resolve any hostname from CORP Wifi</LI><LI>Tested connecting directly to the firewall via cable and setting up test network - same issues&nbsp;</LI></UL><P>I am aware that a whole number of things could cause these issues so ill list what we have done/ tested/ setup</P><P>&nbsp;</P><UL><LI>x2 layer 3 subinterfaces one for CORP wifi and one for GUEST wifi - both tagged but no VLAN's configured on the PA-220</LI><LI>layer 3 sub interface for CORP wifi has DHCP configured with internal DNS servers - policy created to push internet traffic from this zone across the VPN tunnel to the Proxy server for internet access - VPN tunnel is up and no issues with PPPoe network access</LI><LI>Layer 3 Sub interface for GUEST wifi goes straight out of the firewall for internet access&nbsp;</LI><LI>NAT rule created for GUEST wifi - this wifi access works without issues, external DNS resolutoin with no issues</LI><LI>Security policies created for DC Comms including DNS access - I can see traffic coming from the PA-220 and hitting the main office firewall as allowed when running nslookups and traceroutes</LI><LI>Clients can obtain IP addresses from the DHCP set up on CORP Wifi and have the correct internal DNS settings</LI><LI>When attempting to access any internal resource by DNS name it immediately fails</LI></UL><P>The more i look at it the more i know ive probably missed something but cant put my finger on what....</P><P>&nbsp;</P><P>Any one have any ideas?</P><P>&nbsp;</P><P>Many thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Fri, 30 Aug 2019 15:50:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286021#M76531 VictoriaMyatt1 2019-08-30T15:50:57Z https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286042#M76533 <P>Hello,</P><P>Do you have logging enabled on the default policies, Inter/Intra zone? If not enable then and check the logs for dns traffic. If your WiFi is in a different zone than you VPN tunnel (it should be), check the logs to see if its getting blocked somewhere.</P><P>&nbsp;</P><P>Regards,</P> Fri, 30 Aug 2019 16:44:40 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286042#M76533 OtakarKlier 2019-08-30T16:44:40Z https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286520#M76606 <P>run wireshark on PC check for DNS packet</P><P>&nbsp;</P><P>enabled packet capture on firewall to check DNS traffic.</P><P>&nbsp;</P><P>As mentioned check security policy between different zones.</P> Wed, 04 Sep 2019 11:32:05 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-issues/m-p/286520#M76606 fatboy1607 2019-09-04T11:32:05Z