DNS proxy rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS proxy rule

L4 Transporter

I have a DMZ zone for guest wireless users on Palo Alto. They use our internal server 192.168.10.10 for DNS. I am trying to configure the firewall to force them use 8.8.8.8 for a specific domain eg:*.amazon.com
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.8
Please help in configuring this.

5 REPLIES 5

L7 Applicator

@SThatipelly wrote:

Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work


Yes, this will work with the DNS proxy feature of Paloalto.

 


@SThatipelly wrote:

In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.


For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 8.8.8.8.

 

@Remo can I do it without having the clients point to firewall interface as DNS server?

@Remo Also, I'd like to have the endpoints reaching out to the DNS servers but not the firewall. This is because our NAC device evaluates the guest login action based on their DNS and if Firewall proxies it, NAC device will not see the actual endpoint.

I can think of a solution where I can put the following DNS proxy rules so the client goes to them directly:

Rule 1: *.amazon.com-8.8.8.8(DNS server)

Rule 2: *                        -192.168.x.x(DNS server)

 

will my 2nd rule catch all the DNS queries and forward it to 192.168.x.x DNS server?

@SThatipelly 

Unfortinately in your case, the DNS proxy is not a transparent proxy. So in your situation you have to configure the forwarding on your internal DNS server.

  • 3110 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!