PAN as a DNS Forwarder to resolve External DNS Names

Reply
L2 Linker

PAN as a DNS Forwarder to resolve External DNS Names

I'm looking on how to configure DNS proxy on PAN and found below link that provide great information.

https://live.paloaltonetworks.com/docs/DOC-3637

https://live.paloaltonetworks.com/docs/DOC-3522

https://live.paloaltonetworks.com/docs/DOC-4633

However, it does not cover the design that I want for DNS resolution and protect our internal DNS servers.

- I would like to check if anyone has done configuring their internal DNS server to use PAN (DNS Proxy configuration) as a DNS forwarder to resolved all external DNS??

    - PAN DNS Proxy will have entry for public DNS server coming from our local ISP server provider at the same time PAN firewall is configured to forward DNS resolution bound for our local domain resolution

- Using the above setup, I can protect my internal DNS since all external DNS resolution will be coming from PAN Firewall.

Any information or ideas are highly appreciated

Cheers,

Erwin

Tags (2)
Highlighted
L7 Applicator

Re: PAN as a DNS Forwarder to resolve External DNS Names

Few related discussions for your reference:

DNS Proxy -- https://live.paloaltonetworks.com/thread/8699

DNS Proxy -- https://live.paloaltonetworks.com/thread/6767

DNS proxy

Thanks

Highlighted
L2 Linker

Re: PAN as a DNS Forwarder to resolve External DNS Names

Thanks Hulk for the feedback

Highlighted
L6 Presenter

Re: PAN as a DNS Forwarder to resolve External DNS Names

You can configure your DHCP to tell your clients to have the internal interface of the firewall as their DNS. Then use DNS Proxy to handle the DNS resolution. You can also deploy a security policy to Deny all dns requests going to the outside (from anyone except the firewall), and only let users resolve DNS if they use your firewall's trust interface.

Highlighted
L2 Linker

Re: PAN as a DNS Forwarder to resolve External DNS Names


Hi Mivaldi,

Thanks for the information. Deploying the PAN internal Interface as the DNS for all DHCP client will not scale out and it's adds up additional time for DNS resolution for internal networks.

Reading all the discussion about DNS forwarding in this forum provide me great information including the one that you mention.

1. I've decided to configure our internal DNS server to have a DNS forwarder point to PAN Internal Network for Internet (external) DNS Resolution and query data to our ISP Public DNS.

2. External DNS will only communicating for all DNS resolution via PAN DNS Proxy.

Cheers,

Erwin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!