- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-04-2011 10:40 AM
Can I use the DNS Proxy to resolve all of my outbound DNS queries?
I would like to point my inside DNS servers to the Palo Alto firewall and then let the firewall resolve the DNS query.
04-05-2011 08:57 AM
firstly by enabling DNS proxy and secondly verifying your rulebase: in the default rulebase this will be automatically accepted, if you have a drop rule at the end of your rulebase for "any", this will be denied so you will need to create a rule that accepts dns queries to the firewall's interface IP
regards
04-05-2011 01:05 AM
Hi
Yes you can
For this to work you would only need to create a new dns proxy, connect it to an interface and configure its primary and secondary upstream DNS servers. Then you would need to point your internal DNS server to the internal IP of the (L3) interface and make sure a security policy allows connection from the inside to the internal interface and from the external interface to the internet.
Take note it will require upstream DNS servers, the proxy can't do root lookups on its own
regards
04-05-2011 07:06 AM
How do I allow the inside interface to accecpt DNS requests?
04-05-2011 08:57 AM
firstly by enabling DNS proxy and secondly verifying your rulebase: in the default rulebase this will be automatically accepted, if you have a drop rule at the end of your rulebase for "any", this will be denied so you will need to create a rule that accepts dns queries to the firewall's interface IP
regards
04-05-2011 11:01 AM
So, are you saying that if I am using PA firewalls as my edge authoritative DNS server I couldn't point it to a list of root servers for external lookups for example? Is this done by design?
04-06-2011 03:16 AM
the proxy dns was designed as a stub resolver so it is able to bend certain dns queries to an alternative dns server of your choice and have all the other dns entries handled by an upstream DNS server (recursor)
it will also not be able to handle as authoritative as we don't hold zones, we forward depending on the query
regards
Tom
09-08-2011 09:22 PM
Hi,
we are trying to do exactly the same thing : we setup a DNS proxy which has to send all DNS requests to the Internet except those for our own domain ( let say mydomain.com ), but all DNS requests are sent to internet !!
The setup is the following in the PAN setup box :
- primary and secondary DNS are set to point to Internet DNS.
- We add a DNS rule : mydomain.com => our DNS.
Is there anything special to do for this feature to work as expected, syntax or whatever ? We are running PAN OS 4.0.4.
Thanks for you help.
09-14-2011 10:11 AM
Could you do it the other way?
Have your clients point to the internal DNS server. Configure the DNS server to forwards all other requests to the PAN interface hosting the DHCP Proxy?
09-14-2011 09:22 PM
Hi,
thanks for your proposal, but actualy, it's for DMZ servers. They have to request both internal and outside DNS servers. We don't have any DNS forwarding setup on our internal DNS.
PAN split DNS does not works
09-16-2011 11:44 AM
It can work the way you want it to.I have quite a few DNS Proxy rules setup. In the rule I have
domainname.com
*.domainname.com
all forwarding to the Internal DNS servers. Everything else goes to an ISP DNS server.
I suggest you use CLI scripting if you have a bunch of internal domains to import.
09-27-2011 05:21 AM
I am having the same issue, even though the local domain names have been setup and dns servers for these domains have been specified, all traffic that should have gone to the internal dns servers is sent to the internet dns servers instead. We are running pan-os 4.05. Static and internetaddresses are resolved correctly, but local addresses are not (non existent domain or internet values for A records, instead of local values)
09-27-2011 07:01 AM
Sorry to say that, but i'm pleased to see we are not alone with this issue.
We'll open a case.
regards,
10-14-2011 05:30 AM
Did you receive a reply from PA about the case yet ?
regards,
Hen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!