11-07-2020 11:20 PM
Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this?
I'm using PanOS 10.0.2
11-08-2020 10:41 AM
Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug.
FYI,
Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related.
11-08-2020 10:41 AM
Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug.
FYI,
Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related.
11-23-2020 05:04 AM
I do notice the same issue. Did they found the root cause? If not I would also open a ticket to help them finding the roort cause.
01-24-2021 02:57 AM
Also "dns cache" should be applied at the "proxy rule" level, not the parent layer.
02-01-2021 10:25 PM - edited 02-04-2021 12:12 AM
@Chris.Ka wrote:Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this? mybizaccount
I'm using PanOS 10.0.2
I think I am also facing this issue. but Thanks for the information.
03-07-2021 07:44 PM
Same issue found on 10.0.4
03-07-2021 08:24 PM
I have found that PA management DNS fails if Cache is disabled on the DNS Proxy. I needed to break out DNS management interface from a bug fixed DNS proxy with cache disabled. And then enable cache and replicate any dns/static rules. I have identified *.intuit.com and *.sharepoint.com. Applying non-cache enabled rules for those domains in your DNS proxy will fix failing lookups. However I don't know if there is any reasonable way to determine what FQDN's are affects. In which case....DNS Proxy cache should not be used on version 10 in any production environment. Needing to enable cache on the managment interface for DNS also means there is no way to apply firewall policies regarding those afflicted unknown/known FQDNs. v10 is not production ready. 😞
03-07-2021 11:18 PM
I have created an support case for this issue and its a known issue. Here is the important part from the support response:
Root cause:-
When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first)
During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS)
This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.
As a workaround, one can
1. disable cache
2. add DNS proxy rule for this FQDN and not use cache
3. use EDNS (it allows larger UDP DNS)
03-07-2021 11:29 PM
I have found that if you have a tunnel interface assigned as DNS Service route, and you turn DNS Proxy cache off, resolution fails for all FQDNs.
03-25-2021 10:42 PM
Looks like its fixed in 10.0.5. Looks like a combination of multiple, from what it looks like, DNS proxy fixes according according release notes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
