DNS Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS Proxy

L0 Member

I have configured DNS Proxy on a PA200 with PANOS 4.1.9, with two interfaces enabled for DNS proxy service and two default public DNS as primary and secondary.

But on system monitor, on DNS Proxy object, I find: "Failed to resolve domain name: <domain-name > after trying all attempts to name server(s): 8.8.4.4  8.8.8.8 .

Which is the source IP address of the DNS request executed by DNS-Proxy ? Is this the problem or other ?

Thanks.

3 REPLIES 3

L5 Sessionator

If you are pinging directly from the firewall itself , as shown below, the firewall pings 8.8.8.8 via the management interface. The firewall uses the DNS servers configured under the management interface settings to resolve google.com to its IP address.

>ping host 8.8.8.8,

>ping host google.com



The PA device will need a layer3 interface with an IP address to act as the DNS proxy, and your users will point to this IP address as the DNS server.


PLease refer to the below links that have an answer to your question.


https://live.paloaltonetworks.com/message/28716#28716

https://live.paloaltonetworks.com/docs/DOC-3522

https://live.paloaltonetworks.com/message/12588#12588

https://live.paloaltonetworks.com/docs/DOC-4633


Hope that helps!


BR,

Karthik



Thank you for your help, but my question is different. I tried by logging policies rules and I find that it's need to permit, in the security policies, the traffic from the IP addresses of the interfaces, on which I have enabled DNS proxy, destinated to the public DNS configured in the DNS proxy form. Then DNS proxy is correctly enabled and solve all requests received from the users. Without this security policy rule the appliance was not able to redirect DNS queries to public DNS.

Best Regards.

LA

I am assuming that you have a clean up rule configured, which lies on the end of the security rules list. If so, we certainly need this rule, because the PANFW has to communicate to the DNS servers via the interfaces configured ( and this communication is via the data-plane and is not considered host inbound or host outbound traffic ).

  • 3733 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!