DNS Proxy - Can I use it to resolve all outbound

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS Proxy - Can I use it to resolve all outbound

L1 Bithead

Can I use the DNS Proxy to resolve all of my outbound DNS queries?

I would like to point my inside DNS servers to the Palo Alto firewall and then let the firewall resolve the DNS query.

1 accepted solution

Accepted Solutions

firstly by enabling DNS proxy and secondly verifying your rulebase: in the default rulebase this will be automatically accepted, if you have a drop rule at the end of your rulebase for "any", this will be denied so you will need to create a rule that accepts dns queries to the firewall's interface IP

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

12 REPLIES 12

Cyber Elite
Cyber Elite

Hi

Yes you can

For this to work you would only need to create a new dns proxy, connect it to an interface and configure its primary and secondary upstream DNS servers. Then you would need to point your internal DNS server to the internal IP of the (L3) interface and make sure a security policy allows connection from the inside to the internal interface and from the external interface to the internet.

Take note it will require upstream DNS servers, the proxy can't do root lookups on its own

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

How do I allow the inside interface to accecpt DNS requests? 

firstly by enabling DNS proxy and secondly verifying your rulebase: in the default rulebase this will be automatically accepted, if you have a drop rule at the end of your rulebase for "any", this will be denied so you will need to create a rule that accepts dns queries to the firewall's interface IP

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So, are you saying that if I am using PA firewalls as my edge authoritative DNS server I couldn't point it to a list of root servers for external lookups for example?  Is this done by design?

the proxy dns was designed as a stub resolver so it is able to bend certain dns queries to an alternative dns server of your choice and have all the other dns entries handled by an upstream DNS server (recursor)

it will also not be able to handle as authoritative as we don't hold zones, we forward depending on the query

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

we are trying to do exactly the same thing : we setup a DNS proxy which has to send all DNS requests to the Internet except those for our own domain ( let say mydomain.com ), but all DNS requests are sent to internet !!

The setup is the following in the PAN setup box :

- primary and secondary DNS are set to point to Internet DNS.

- We add a DNS rule : mydomain.com => our DNS.

Is there anything special to do for this feature to work as expected, syntax or whatever ? We are running PAN OS 4.0.4.

Thanks for you help.

Could you do it the other way?

Have your clients point to the internal DNS server. Configure the DNS server to forwards all other requests to the PAN interface hosting the DHCP Proxy?

Hi,

thanks for your proposal, but actualy, it's for DMZ servers. They have to request both internal and outside DNS servers. We don't have any DNS forwarding setup on our internal DNS.

PAN split DNS does not works Smiley Sad

It can work the way you want it to.I have quite a few DNS Proxy rules setup. In the rule I have

domainname.com

*.domainname.com

all forwarding to the Internal DNS servers. Everything else goes to an ISP DNS server.

I suggest you use CLI scripting if you have a bunch of internal domains to import.

I am  having the same issue, even though the local domain names have been setup and dns servers for these domains have been specified, all traffic that should have gone to the internal dns servers is sent to the internet dns servers instead. We are running pan-os 4.05. Static and internetaddresses are resolved correctly, but local addresses are not (non existent domain or internet values for A records, instead of local values)

Sorry to say that, but i'm pleased to see we are not alone with this issue.

We'll open a case.

regards,

Did you receive a reply from PA about the case yet ?

regards,

Hen

  • 1 accepted solution
  • 6875 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!