dns issue

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

dns issue

L6 Presenter

Hi,

 

using an internal Dns server

client makes request for a domain ???.com and cannot get an answer.

from nslookup we see that it cannot resolve the domain.

internal dns server to public dns server rule has a spyware profile.

There is no threat log for this request.But if we disable spyware profile then client can resolve this name.

Any idea about this issue ?

we checked this domain in the lab but it is legal not suspicious.Thanks

 

Regards

 

1 ACCEPTED SOLUTION

Accepted Solutions

L6 Presenter

Hi,

 

this is a known bug which will be fixed in 10.0.7

just confirmed.

 

Regards

 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

Hi @panos 

Do you have the DNS security subscription enabled on that firewall? If yes, does your firewall have internet access (at least towards paloalto dns service)?

L6 Presenter

Hi,

license was trial and it is expired.

 

Regards

 

So in this case I assume this feature is still configured in the spyware profile?

is there a way to disable it  ? All categories are selected as allow.

Cyber Elite
Cyber Elite

Hello,

Also check to see if the request is getting dropped into the sinkhole if configured. To disable DNS in the profile:

Objects tab -> Anti-Spyware-> click the profile name

DNS-Signature tab and change Action to Alert (alert allows the traffic and logs it, allow just allows the traffic but does not log it)

 

Hope it helps.

L6 Presenter

Thanks for reply.

no sinkhole ip is returned.cannot resolve the domain.

we checked counters also for dns server's traffic,there is no drop.but clients cannot resolve the domain when spyware profile is selected.

Added the domain to Dns exceptions tab but again same issue.

I opened a Tac case.Let's see what they will find.

 

Regards

 

Maybe it is worth a try to delete the dns security license as it is expired anyway.

Did you check the system logs to see if there are some logs which could lead to the reason of this issue?

Hi,

Thanks,

there were logs saying that "  critical general general 0 License for feature dns-security expired on ..."  so we deleted license from cli but it did not change anything.

Regards

 

 

 

 

Did you try to add a newly created antispyware profile to that rule where you do not configure the dns security options at all?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!