DNS proxy rule

Reply
Highlighted
L4 Transporter

DNS proxy rule

I have a DMZ zone for guest wireless users on Palo Alto. They use our internal server 192.168.10.10 for DNS. I am trying to configure the firewall to force them use 8.8.8.8 for a specific domain eg:*.amazon.com
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.8
Please help in configuring this.

Tags (2)
Highlighted
Cyber Elite


@SThatipelly wrote:

Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work


Yes, this will work with the DNS proxy feature of Paloalto.

 


@SThatipelly wrote:

In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.


For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 8.8.8.8.

 

Highlighted
L4 Transporter

@vsys_remo can I do it without having the clients point to firewall interface as DNS server?

Highlighted
L4 Transporter

@vsys_remo Also, I'd like to have the endpoints reaching out to the DNS servers but not the firewall. This is because our NAC device evaluates the guest login action based on their DNS and if Firewall proxies it, NAC device will not see the actual endpoint.

I can think of a solution where I can put the following DNS proxy rules so the client goes to them directly:

Rule 1: *.amazon.com-8.8.8.8(DNS server)

Rule 2: *                        -192.168.x.x(DNS server)

 

will my 2nd rule catch all the DNS queries and forward it to 192.168.x.x DNS server?

Highlighted
Cyber Elite

@SThatipelly 

Unfortinately in your case, the DNS proxy is not a transparent proxy. So in your situation you have to configure the forwarding on your internal DNS server.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!