DNS proxy not responding to requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS proxy not responding to requests

L0 Member

Hi All,

 

I cannot seem to get DNS proxy working on a PAN-440 box for a simple network topology. Hosts on .20.0/24 subnet cannot resolve DNS using the proxy either from external or domain. I logged denied DNS requests to external DNS from ethernet 1/8's ip so created a rule to allow. Opening up the security policy a bit, the .20.0 hosts can resolve from external DNS directly, showing static routes are ok etc.

 

Used 'test dns-proxy query' and 'show dns-proxy cache all' with ethernet 1/8 and no entries logged (mgmt-obj using service routes had no problem). Weirdly enough, I got cached DNS entries ok when querying dns proxy using the external interface 1/1.

 

Anything I have overlooked? Thanks for your help.

 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

@BumblingFixer,

If you have your internal clients setup to utilize the dns-proxy properly you shouldn't need to allow your clients access to internal DNS servers, which appears to be what you're doing from a brief glance at your configuration. The firewall will handle forwarding when required, the clients don't need access to those external providers. 

It seems like your clients aren't actually configured to utilize the dns-proxy configured interface IPs based off of what you're reporting. I'd double check that your clients are actually sending DNS requests to the interfaces you have dns-proxy enabled on, and that DNS isn't setup to still resolve to the external providers. 

I don't think you read all the details. Using 'test dns-proxy query' on the CLI also failed, proving any client DNS misconfig is not the issue.

I went back to this and did some digging into dnsproxyd on a different deployment and found after the DNSproxy receives the DNS request on configured listening interfaces, it will send out DNS request to the correct IP according to its rules, however sends it on the interface it received the original DNS request on. It will ignore the DNS service interface/destination routes, as well as route tables. Unless there is a hidden setting not mentioned in the admin guides, looks like a bug to me.

This issue may not be encountered in larger deployments with multiple vsys, with the use of DNS profiles: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/dns/dns-server-profile 

  • 2353 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!