This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DNS proxy rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS proxy rule

SThatipelly
L4 Transporter

‎04-13-2019 05:23 AM

I have a DMZ zone for guest wireless users on Palo Alto. They use our internal server 192.168.10.10 for DNS. I am trying to configure the firewall to force them use 8.8.8.8 for a specific domain eg:*.amazon.com
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.8
Please help in configuring this.

0 Likes Likes
5 REPLIES 5

Remo
L7 Applicator

‎04-13-2019 09:25 AM

@SThatipelly wrote:

Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work

Yes, this will work with the DNS proxy feature of Paloalto.

 

@SThatipelly wrote:

In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.

For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 8.8.8.8.

 

0 Likes Likes

SThatipelly
L4 Transporter
In response to Remo

‎04-13-2019 06:34 PM

@Remo can I do it without having the clients point to firewall interface as DNS server?

0 Likes Likes

SThatipelly
L4 Transporter
In response to SThatipelly

‎04-13-2019 10:28 PM

@Remo Also, I'd like to have the endpoints reaching out to the DNS servers but not the firewall. This is because our NAC device evaluates the guest login action based on their DNS and if Firewall proxies it, NAC device will not see the actual endpoint.

I can think of a solution where I can put the following DNS proxy rules so the client goes to them directly:

Rule 1: *.amazon.com-8.8.8.8(DNS server)

Rule 2: *                        -192.168.x.x(DNS server)

 

will my 2nd rule catch all the DNS queries and forward it to 192.168.x.x DNS server?

0 Likes Likes

Remo
L7 Applicator
In response to SThatipelly

‎04-14-2019 01:21 AM

@SThatipelly 

Unfortinately in your case, the DNS proxy is not a transparent proxy. So in your situation you have to configure the forwarding on your internal DNS server.

0 Likes Likes
  • 3705 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks