https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332733#M84101 <P>Hi Community,</P><P>&nbsp;</P><P>I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames.</P><UL><LI>I dont have GP/detect internal host configured</LI><LI>I dont have FQDN objects with these hostnames</LI><LI>I have exported and checked entire config, the firewall is not having this hostname in the configuration</LI><LI>It is requesting for A record ( so 'resolve hostname' is not causing it.</LI><LI>Dont have DNS proxy configured in firewall</LI><LI>This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion</LI></UL><P>This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for&nbsp;<SPAN>reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks in advance !&nbsp;</SPAN></P> Wed, 10 Jun 2020 07:50:45 GMT Abdul_Razaq 2020-06-10T07:50:45Z https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332733#M84101 <P>Hi Community,</P><P>&nbsp;</P><P>I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames.</P><UL><LI>I dont have GP/detect internal host configured</LI><LI>I dont have FQDN objects with these hostnames</LI><LI>I have exported and checked entire config, the firewall is not having this hostname in the configuration</LI><LI>It is requesting for A record ( so 'resolve hostname' is not causing it.</LI><LI>Dont have DNS proxy configured in firewall</LI><LI>This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion</LI></UL><P>This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for&nbsp;<SPAN>reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks in advance !&nbsp;</SPAN></P> Wed, 10 Jun 2020 07:50:45 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332733#M84101 Abdul_Razaq 2020-06-10T07:50:45Z https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332798#M84113 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>,</P><P>Do you have WMI probing enabled within User Identification?&nbsp;</P> Wed, 10 Jun 2020 14:28:23 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332798#M84113 BPry 2020-06-10T14:28:23Z https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332804#M84114 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;,</P><P>&nbsp;</P><P>Thanks for your input.</P><P>I thought of this possibility as&nbsp;WMI probing is enabled, but as the user IP mapping entries will be IP address, i don't see a need for PA to do a DNS query for device hostnames other than the hostname of AD servers.</P><P>I am wondering if there is any two way of verification to find the hostname of an IP, then a DNS query for A record for verifying it.</P><P>&nbsp;</P><P>Thanks in advance.</P> Wed, 10 Jun 2020 14:38:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/332804#M84114 Abdul_Razaq 2020-06-10T14:38:15Z https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/336220#M84701 <P>Hi All,</P><P>&nbsp;</P><P>Anybody have any though on this.. i can see the DNS query for only couple of servers (it should not be for WMI i feel as i can see it only for very less endpoints directly connected to firewall). I am even confused how firewall got this hostname in first place.</P><P>&nbsp;</P><P>Thanks in advance.</P> Wed, 01 Jul 2020 06:01:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-queries-to-resolve-internal-hosts-from-pa-managment-ip/m-p/336220#M84701 Abdul_Razaq 2020-07-01T06:01:15Z