DNS Queries Are Not Redirected by PBF Rule if DNS-Proxy is Used

DNS Queries Are Not Redirected by PBF Rule if DNS-Proxy is Used

0
Created On 09/26/18 13:50 PM - Last Modified 07/19/22 23:09 PM


Resolution


Overview

Referring to the sample diagram below. DNS-Proxy is configured on the Palo Alto Networks firewall and PBF rule is applied.  The PBF rule is configured so that traffic is redirected to Internet #2 if Internet#1 is down.

Screen Shot 2013-02-22 at 6.34.22 PM.png

Issue

If Internet #1 goes down in this scenario, DNS queries will still go through Internet #1 even though the PBF rule is redirecting traffic to Internet #2.

test@PA-500> show pbf rule all

Rule            ID   Rule State Action   EgreIF  NextHop         NextHop Status

PBF-rule1-Int#1 1   Disabled   Forward  eth1/1  100.100.100.100 DOWN

PBF-rule2-int#2 3   Active     Forward  eth1/2  200.200.200.200 UP

Except from the pan_packet_diag.log file:

== Nov 13 14:08:55 ==

Packet received at slowpath stage

Packet info: len 83 port 23 interface 23 vsys 1

  wqe index 229369 packet 0x0x8000000416ff60c6

Packet decoded dump:

L2: 00:1b:17:05:69:17->00:70:76:69:66:00, type 0x0800

IP: 1.1.1.1->8.8.8.8, protocol 17

        version 4, ihl 5, tos 0x00, len 69,

        id 0, frag_off 0x4000, ttl 64, checksum 48276

UDP:    sport 52062, dport 53, len 49, checksum 55414

Session setup: vsys 1

Nov 13 14:08:55 pan_appid_simple_cache_find(pan_appid_cache.c:318): [CACHE] notfound daddr 0-ffff08080808(53, 17)

Nov 13 14:08:55 pan_appid_cache_find(pan_appid_cache.c:475): [CACHE] not foundappid 0-ffff0a006404(52062) -> 0-ffff08080808(52062)

Session setup: ingress interface ethernet1/3 egress interface ethernet1/1 (zone3)

Nov 13 14:08:55 pan_policy_lookup(pan_policy.c:1169): Time required: 9677 ticks

NAT policy lookup, matched rule index 0

Nov 13 14:08:55 pan_policy_lookup(pan_policy.c:1169): Time required: 5789 ticks

Policy lookup, matched rule index 0

DP0 is selected to process this session.

Allocated new session 80.

Packet matched vsys 1 NAT rule 'PBF-rule1-Int#1 (index 1),  <--- DNS query from DNS-Proxy still go through downed "PBF-rule1-Int#1" PBF rule.

source translation 1.1.1.1/52062 => xx.xx.xx.xx/38456

Created session, enqueue to install

Resolution

The Palo Alto Networks firewall considers DNS proxy traffic as host traffic, and all host traffic always bypasses PBF rules.

Possible solutions are:

  • Avoid using DNS proxy and PBF rules at same time.
  • Route DNS proxy traffic to an internal DNS (for example, 172.16.1.53 in the above network diagram) first. Then let it pass through firewall again as "through traffic" so that the PBF rules apply.

owner: kkondo
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail