I have configured DNS Proxy on a PA200 with PANOS 4.1.9, with two interfaces enabled for DNS proxy service and two default public DNS as primary and secondary.
But on system monitor, on DNS Proxy object, I find: "Failed to resolve domain name: <domain-name > after trying all attempts to name server(s): 188.8.131.52 184.108.40.206 .
Which is the source IP address of the DNS request executed by DNS-Proxy ? Is this the problem or other ?
If you are pinging directly from the firewall itself , as shown below, the firewall pings 220.127.116.11 via the management interface. The firewall uses the DNS servers configured under the management interface settings to resolve google.com to its IP address.
>ping host 18.104.22.168,
>ping host google.com
The PA device will need a layer3 interface with an IP address to act as the DNS proxy, and your users will point to this IP address as the DNS server.
PLease refer to the below links that have an answer to your question.
Hope that helps!
Thank you for your help, but my question is different. I tried by logging policies rules and I find that it's need to permit, in the security policies, the traffic from the IP addresses of the interfaces, on which I have enabled DNS proxy, destinated to the public DNS configured in the DNS proxy form. Then DNS proxy is correctly enabled and solve all requests received from the users. Without this security policy rule the appliance was not able to redirect DNS queries to public DNS.
I am assuming that you have a clean up rule configured, which lies on the end of the security rules list. If so, we certainly need this rule, because the PANFW has to communicate to the DNS servers via the interfaces configured ( and this communication is via the data-plane and is not considered host inbound or host outbound traffic ).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!