I have a DMZ zone for guest wireless users on Palo Alto. They use our internal server 192.168.10.10 for DNS. I am trying to configure the firewall to force them use 220.127.116.11 for a specific domain eg:*.amazon.com
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 18.104.22.168 will work.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 22.214.171.124
Please help in configuring this.
Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 126.96.36.199 will work
Yes, this will work with the DNS proxy feature of Paloalto.
In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8.
For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 188.8.131.52.
@vsys_remo Also, I'd like to have the endpoints reaching out to the DNS servers but not the firewall. This is because our NAC device evaluates the guest login action based on their DNS and if Firewall proxies it, NAC device will not see the actual endpoint.
I can think of a solution where I can put the following DNS proxy rules so the client goes to them directly:
Rule 1: *.amazon.com-184.108.40.206(DNS server)
Rule 2: * -192.168.x.x(DNS server)
will my 2nd rule catch all the DNS queries and forward it to 192.168.x.x DNS server?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!