DNS proxy sharepoint domain issue when cache enabled

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Chris.Ka
L1 Bithead

DNS proxy sharepoint domain issue when cache enabled

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this?
I'm using PanOS 10.0.2


Accepted Solutions
BPry
Cyber Elite

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug. 

 

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related. 

View solution in original post


All Replies
BPry
Cyber Elite

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug. 

 

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related. 

View solution in original post

kevin_thys
L1 Bithead

I do notice the same issue. Did they found the root cause? If not I would also open a ticket to help them finding the roort cause.

jmretting
L1 Bithead

Also "dns cache" should be applied at the "proxy rule" level, not the parent layer.

TerryStevens
L0 Member


@Chris.Ka wrote:

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this? mybizaccount
I'm using PanOS 10.0.2


I think I am also facing this issue. but Thanks for the information.

DavidReesImdex
L0 Member

Same issue found on 10.0.4

morgnercoit
L0 Member

I have found that PA management DNS fails if Cache is disabled on the DNS Proxy. I needed to break out DNS management interface from a bug fixed DNS proxy with cache disabled. And then enable cache and replicate any dns/static rules. I have identified *.intuit.com and *.sharepoint.com. Applying non-cache enabled rules for those domains in your DNS proxy will fix failing lookups. However I don't know if there is any reasonable way to determine what FQDN's are affects. In which case....DNS Proxy cache should not be used on version 10 in any production environment. Needing to enable cache on the managment interface for DNS also means there is no way to apply firewall policies regarding those afflicted unknown/known FQDNs. v10 is not production ready.

Chris.Ka
L1 Bithead

I have created an support case for this issue and its a known issue. Here is the important part from the support response:

Root cause:-

When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first)
During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS)

This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.


As a workaround, one can
1. disable cache
2. add DNS proxy rule for this FQDN and not use cache
3. use EDNS (it allows larger UDP DNS)

morgnercoit
L0 Member

I have found that if you have a tunnel interface assigned as DNS Service route, and you turn DNS Proxy cache off, resolution fails for all FQDNs.

jmretting
L1 Bithead

Looks like its fixed in 10.0.5. Looks like a combination of multiple, from what it looks like, DNS proxy fixes according according release notes.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!