DNS Proxy

Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS Proxy

L2 Linker


i wanna achieve dns proxy wherein my requirement is as follows:

1. i wanna use my internet browsing PCs to use palo alto defined DNS which will use our ADSL 100mbps connection for browsing.

2. secondly, my other critical PCs will use DNS from existing AD and use Lease Line internet for server access and mission critical tasks.

i feel i can achieve this via dns proxy feature in PAN , but little confused how to go abt it.

appreciate help


Accepted Solutions



That's great! Can you please mark this question as solved please?




View solution in original post


Cyber Elite
Cyber Elite

@zaidshaikhPlease correct me if i am wrong,


You have two internet links on your firewall. One is ADSL and other is Lease line connection.  Your Critical PCs internet goes from Lease line connection. For the internet traffic that is going via Lease line connection, you need Palo Alto to be act as DNS proxy.


Just one question, where is gateway configured for the subnet where all critical PCs resides?






We have internet PCs wherein the gateway is the palo alto fw, what i need to achieve is when the PC is browsing for normal internet access we need PAN to provide Public DNS to it.

Whereas when the same PC wants to access our internal servers or internal infra, we need PAN to redirect those dns request to our internal DNS server.




Ok then you can configure DNS proxy on the interface of Palo Alto Firewall which is the gateway of PCs. Under DNS proxy configuration,  you can add Primary and Secondary DNS servers that you want to configure for PCs network. And for your other requirement i.e. to redirect internal URLs to internal DNS servers, you can achieve it using below two ways,


1. Add DNS proxy rule where you'll define internal domains and internal DNS servers for those domains. So DNS query for those internal DNS will be send to configured internal DNS servers. Here PA forward selective domains to the DNS servers which are different from the configured primary and secondary servers.


2. You can even add Static entries for internal URLs under DNS Proxy Configuration. You can statically define domain/FQDN and its associated server address. So if anyone is trying to access internal URL, the request will be directly forwarded to configured address.


Hope it helps you!




thanks mate for the reply,

what i did before is I enable ADSL service by policy based forwarding---- it worked fine.

then DNS-Proxy configured, with primary as and DNS Rule match for internal severs .100 and .101 for internal dns requests.

Now, as soon as i change the PC dns ip to that of the interface ip for which the DNS-Proxy is configured, nslookup for google.com or any dns is not resolving.  This is one part.



I did this same thing by using our existing Lease Line NAT policy wherein i just added this new interface-zone into the NAT policy and committed. It worked fine on the PC resolving all dns outside and our company domain name to its IP.


So, is there i am missing with ADSL config ? i think so

Secondly, is there anything i need to comfigure on the Comain controller where the our dns-server is configured to resolve hostnames of PCs etc.



@zaidshaikhIn first part, make sure you have required policies to allow DNS traffic towards public DNS from the interface. What do you see in the traffic logs? I suspecting issue with policies only as you said it works fine from Lease line connection.


Also check dnsproxy related logs by using command - tail follow yes mp-log dnsproxyd.log

Check what is the o/p of this command.


Nothing is required to be configured on DC.





Thanks Mayur i will do it today. apprise you



Actually i got engaged to other activities, was off-the hook with this case..

I didn;t  made the ADSL policy yet, instead we tried making web proxy server by adding IPs into exception lists on the the browser settings, to make it easy.

In this case also, I am able to put IPs the the exception list , but not the Ports (eg:, is there any way to add ports in the list?

we found this proxry server way is more easy and relatable to us.




I am confused now, what exactly are you trying to do? As per my understandings, you want to use Palo Alto as DNS proxy server where PA FW will reside between client and server for DNS queries.  Hope this is your requirement.




yes , what i am thinking is if a configure the DNS proxy on PAN, the PC gateway will be that of PAN interface, and through this interface the DNS request will flow accordingly. However, what about the reverse traffice, i mean if the domain controller(DC) pushes some changes to these PCs, then how DC will communicate, since this DC is directly communicating with the PCs currently.

I dont want to ask the system team,for any changes/additional configs request. Thats y tried web-proxy.


regret confusing you much 



Whatever configuration that we are discussing is related to DNS traffic only. As per my understanding, this shouldn't affect your group policy updates from DC etc. For that your system should be part of domain that's it and there should be reachability between PCs and DC.




I will check and let u know 

 Thanks mayur for ur insights.

@zaidshaikh ,


I think, you are mixing two things, group  policy push and dns functionalities.



Yes. just now i tried the putting my PC with this new interface IP, am able to resolve dns names also my PC is effecting changes via domain and dns.

Thanks BK and Mayur for making me understand.


Now the problem is the same with DNS proxy(ie PAN) also, am not able to resolve any internal URLs (like 172.16.60.X:8888) to resolve i want to know how to add/or put ports insode the DNS proxy rules inside PAN.


Thanks Guy:)



Have you added DNS proxy rules?

Under DNS proxy rules, you can add internal URLs  and under domain name section (without port) and internal DNS servers under Primary and Secondary tab. With this, PA firewall will forward mentioned domains to mentioned dns servers. Just make sure, there is reachability internal DNS servers IPs.


The other way is to add static entries. Under Static entries tab, enter FQDN and it's associated address.


Hope it helps!



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!