DNS proxy sharepoint domain issue when cache enabled

Chris.Ka · ‎11-07-2020

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this?
I'm using PanOS 10.0.2

BPry · ‎11-08-2020

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug.

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related.

View solution in original post

BPry · ‎11-08-2020

@Chris.Ka,

Open a TAC case and ask them to replicate the issue. Sounds you you've possibly found a PAN-OS 10 bug.

FYI,

Unless you need to run PAN-OS 10 due a feature set, I wouldn't recommend running it yet on production gear. I'd stick with PAN-OS 9.1 for anything production related.

kevin_thys · ‎11-23-2020

I do notice the same issue. Did they found the root cause? If not I would also open a ticket to help them finding the roort cause.

jmretting · ‎01-24-2021

Also "dns cache" should be applied at the "proxy rule" level, not the parent layer.

TerryStevens · ‎02-01-2021

@Chris.Ka wrote:
Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.
Does someone have any suggestion how I could solve this? mybizaccount
I'm using PanOS 10.0.2

I think I am also facing this issue. but Thanks for the information.

DavidReesImdex · ‎03-07-2021

Same issue found on 10.0.4

morgnercoit · ‎03-07-2021

I have found that PA management DNS fails if Cache is disabled on the DNS Proxy. I needed to break out DNS management interface from a bug fixed DNS proxy with cache disabled. And then enable cache and replicate any dns/static rules. I have identified *.intuit.com and *.sharepoint.com. Applying non-cache enabled rules for those domains in your DNS proxy will fix failing lookups. However I don't know if there is any reasonable way to determine what FQDN's are affects. In which case....DNS Proxy cache should not be used on version 10 in any production environment. Needing to enable cache on the managment interface for DNS also means there is no way to apply firewall policies regarding those afflicted unknown/known FQDNs. v10 is not production ready. 😞

Chris.Ka · ‎03-07-2021

I have created an support case for this issue and its a known issue. Here is the important part from the support response:

Root cause:-

When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first)
During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS)

This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.

As a workaround, one can
1. disable cache
2. add DNS proxy rule for this FQDN and not use cache
3. use EDNS (it allows larger UDP DNS)

morgnercoit · ‎03-07-2021

I have found that if you have a tunnel interface assigned as DNS Service route, and you turn DNS Proxy cache off, resolution fails for all FQDNs.

jmretting · ‎03-25-2021

Looks like its fixed in 10.0.5. Looks like a combination of multiple, from what it looks like, DNS proxy fixes according according release notes.

Network Security

Cloud Security

Security Operations

DNS proxy sharepoint domain issue when cache enabled

DNS proxy sharepoint domain issue when cache enabled

Show your appreciation!