https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/361505#M88190 <P>Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.<BR />Does someone have any suggestion how I could solve this?<BR />I'm using PanOS 10.0.2</P> Sun, 08 Nov 2020 07:20:01 GMT Chris.Ka 2020-11-08T07:20:01Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/361505#M88190 <P>Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.<BR />Does someone have any suggestion how I could solve this?<BR />I'm using PanOS 10.0.2</P> Sun, 08 Nov 2020 07:20:01 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/361505#M88190 Chris.Ka 2020-11-08T07:20:01Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/361540#M88197 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96349">@Chris.Ka</a>,</P> <P>Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug.&nbsp;</P> <P>&nbsp;</P> <P>FYI,</P> <P>Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related.&nbsp;</P> Sun, 08 Nov 2020 18:41:17 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/361540#M88197 BPry 2020-11-08T18:41:17Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/364847#M88517 <P>I do notice the same issue. Did they found the root cause? If not I would also open a ticket to help them finding the roort cause.</P> Mon, 23 Nov 2020 13:04:20 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/364847#M88517 kevin_thys 2020-11-23T13:04:20Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/381794#M89771 <P>Also "dns cache" should be applied at the "proxy rule" level, not the parent layer.</P> Sun, 24 Jan 2021 10:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/381794#M89771 jmretting 2021-01-24T10:57:53Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/383370#M89950 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96349">@Chris.Ka</a>&nbsp;wrote:<BR /><P>Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.<BR />Does someone have any suggestion how I could solve this?&nbsp;<FONT face="comic sans ms,sans-serif" size="1 2 3 4 5 6 7" color="#FFFFFF"><A href="https://www.mygroundbiz.club/" target="_self">mybizaccount</A></FONT><BR />I'm using PanOS 10.0.2</P><HR /></BLOCKQUOTE><P><SPAN>I think I am also facing this issue. but&nbsp;Thanks for the information.</SPAN></P> Thu, 04 Feb 2021 08:12:53 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/383370#M89950 TerryStevens 2021-02-04T08:12:53Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389641#M90636 <P>Same issue found on 10.0.4</P> Mon, 08 Mar 2021 03:44:54 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389641#M90636 DavidRees_Imdex 2021-03-08T03:44:54Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389648#M90637 <P>I have found that PA management DNS fails if Cache is disabled on the DNS Proxy. I needed to break out DNS management interface from a bug fixed DNS proxy with cache disabled. And then enable cache and replicate any dns/static rules. I have identified *.intuit.com and *.sharepoint.com. Applying non-cache enabled rules for those domains in your DNS proxy will fix failing lookups. However I don't know if there is any reasonable way to determine what FQDN's are affects. In which case....DNS Proxy cache should not be used on version 10 in any production environment. Needing to enable cache on the managment interface for DNS also means there is no way to apply firewall policies regarding those afflicted unknown/known FQDNs. v10 is not production ready. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Mon, 08 Mar 2021 04:24:40 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389648#M90637 morgnercoit 2021-03-08T04:24:40Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389663#M90640 <P>I have created an support case for this issue and its a known issue. Here is the important part from the support response:</P><P>Root cause:-</P><P>When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first)<BR />During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS)</P><P>This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.</P><P><BR />As a workaround, one can<BR />1. disable cache<BR />2. add DNS proxy rule for this FQDN and not use cache<BR />3. use EDNS (it allows larger UDP DNS)</P> Mon, 08 Mar 2021 07:18:09 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389663#M90640 Chris.Ka 2021-03-08T07:18:09Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389664#M90641 <P>I have found that if you have a tunnel interface assigned as DNS Service route, and you turn DNS Proxy cache off, resolution fails for all FQDNs.</P> Mon, 08 Mar 2021 07:29:17 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/389664#M90641 morgnercoit 2021-03-08T07:29:17Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/394127#M91079 <P>Looks like its fixed in 10.0.5. Looks like a combination of multiple, from what it looks like, DNS proxy fixes according according release notes.</P> Fri, 26 Mar 2021 05:42:32 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-sharepoint-domain-issue-when-cache-enabled/m-p/394127#M91079 jmretting 2021-03-26T05:42:32Z