cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DNS proxy sharepoint domain issue when cache enabled

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Chris.Ka
L1 Bithead
‎11-07-2020 11:20 PM
‎11-07-2020 11:20 PM

DNS proxy sharepoint domain issue when cache enabled

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this?
I'm using PanOS 10.0.2

4 people had this problem.
0 Likes
Reply

Accepted Solutions
BPry
Cyber Elite
Cyber Elite
‎11-08-2020 10:41 AM
‎11-08-2020 10:41 AM

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug. 

 

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related. 

View solution in original post

(1)
Reply

All Replies
BPry
Cyber Elite
Cyber Elite
‎11-08-2020 10:41 AM
‎11-08-2020 10:41 AM

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug. 

 

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related. 

View solution in original post

(1)
Reply
kevin_thys
L1 Bithead
‎11-23-2020 05:04 AM
‎11-23-2020 05:04 AM

I do notice the same issue. Did they found the root cause? If not I would also open a ticket to help them finding the roort cause.

0 Likes
Reply
jmretting
L1 Bithead
‎01-24-2021 02:57 AM
‎01-24-2021 02:57 AM

Also "dns cache" should be applied at the "proxy rule" level, not the parent layer.

0 Likes
Reply
TerryStevens
L0 Member
‎02-01-2021 10:25 PM
‎02-01-2021 10:25 PM

@Chris.Ka wrote:

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this? mybizaccount
I'm using PanOS 10.0.2

I think I am also facing this issue. but Thanks for the information.

0 Likes
Reply
DavidReesImdex
L0 Member
‎03-07-2021 07:44 PM
‎03-07-2021 07:44 PM

Same issue found on 10.0.4

0 Likes
Reply
morgnercoit
L0 Member
‎03-07-2021 08:24 PM
‎03-07-2021 08:24 PM

I have found that PA management DNS fails if Cache is disabled on the DNS Proxy. I needed to break out DNS management interface from a bug fixed DNS proxy with cache disabled. And then enable cache and replicate any dns/static rules. I have identified *.intuit.com and *.sharepoint.com. Applying non-cache enabled rules for those domains in your DNS proxy will fix failing lookups. However I don't know if there is any reasonable way to determine what FQDN's are affects. In which case....DNS Proxy cache should not be used on version 10 in any production environment. Needing to enable cache on the managment interface for DNS also means there is no way to apply firewall policies regarding those afflicted unknown/known FQDNs. v10 is not production ready.

0 Likes
Reply
Chris.Ka
L1 Bithead
‎03-07-2021 11:18 PM
‎03-07-2021 11:18 PM

I have created an support case for this issue and its a known issue. Here is the important part from the support response:

Root cause:-

When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first)
During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS)

This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.


As a workaround, one can
1. disable cache
2. add DNS proxy rule for this FQDN and not use cache
3. use EDNS (it allows larger UDP DNS)

0 Likes
Reply
morgnercoit
L0 Member
‎03-07-2021 11:29 PM
‎03-07-2021 11:29 PM

I have found that if you have a tunnel interface assigned as DNS Service route, and you turn DNS Proxy cache off, resolution fails for all FQDNs.

0 Likes
Reply
jmretting
L1 Bithead
3 weeks ago
3 weeks ago

Looks like its fixed in 10.0.5. Looks like a combination of multiple, from what it looks like, DNS proxy fixes according according release notes.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks