DynDNS client on PANOS 9.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DynDNS client on PANOS 9.0

L3 Networker

Hi,

 

I'm trying to setup DynDNS based on the instructions found at https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-dynamic-dns-for-firew...

 

I'm using DuckDNS, but I'm stuck at the 'certificate profile' portion.  As I understand it correctly I have to import the (public) SSL certificate of DuckDNS, but this is not provided by them.

I don't understand why this is needed since their certificate is signed by Starfield CA, which is already in the list of 'Default Trusted Certificate Authorities' on the Paloalto firewall.

 

Also other DynDNS provides such as DYN don't seem to provide their public certificates for download.

23 REPLIES 23

Hey Rick.

 

I've been having a similar problem for while. I solved it by making the URL filtering categories of 'high-risk' and 'dynamic-dns' to alert or allow. Then I imported the certificates I got from a packet capture to that IP. Those certificates were different than what Firefox provided me with. You can find them here:

Starfield Class 2 Certification Authority Root Certificate

Starfield Secure Server Certificate (Cross Intermediate Certificate)

Starfield Secure Server Certificate (Intermediate Certificate) - G2

and finally DuckDNS's certificate (note: you will need to save that as a .pem file)

 

Then I selected all three Starfield certificates in my certificate profile

After commiting I went to the CLI and ran these commands:

test dns-proxy ddns update interface name ethernet1/1

show dns-proxy ddns interface name ethernet1/1

 

The return code was good.

 

Hope this helps

 

I tried all of the recommendations that were described here. None of them worked. I am currently with a setup and recommendation from MPipes and ddns is not working with DuckDNS service. 

error i am getting:   'Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host #####.duckdns.org with 10.xx.xx.4 Server response: Couldn\'t connect to server' 

 

 

Certificates imported:

certs.JPG

 

Certificate profile setup:

cert-profile.JPG

 

in my setup I am using vlan that has internet access and setup is as following:

vlan.10 == PA220 == eth1/1 == NAT router = ISP  (no security profiles are used in security policy allowing traffic to internet)

vlan.JPG

 

Anyone with an idea what to do, what to troubleshoot? 

 

I tried all of the previous recommendations and combinations with certificates and i am out of ideas. Any help more than welcome. 

Make sure you imported the certificates as Trusted Root CA Certificates. I also imported DuckDNS's certificateScreen Shot 2021-03-05 at 22.47.11.png

updated certificates as Trusted CA and imported DuckDNS cert too. installed-cert.JPG

 

DuckDNS cert cannot be imported under cert profile since it is not a  CA certificate. 

I am still getting the same error: "Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host ####.duckdns.org with 10.XX.XX.4 Server response: Couldn't connect to server."

Systemlog.png

 

after i checked the traffic logs and url logs, whenever i run the "test dns-proxy ddns update interface name vlan.10"

it only generates logs under system logs, no traffic logs for the source. 

also debug dataplane shows no logs:

 

duckdns.org is resolved to 35.165.107.187. 

 

having in mind that vlan.10 interface is local firewall interface that has to match fw policy and nat policy in order to reach to internet ran packet-diag:

 

admin@PAFW> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.xx.xx.4/32[0]->35.165.107.187/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 35.165.107.187/32[0]->10.xx.xx.4/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: yes
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic ager np arp receive ha nd mcast log track cluster pred
ctd : basic
ssl : basic
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Username:
Stage receive : file duck-receive
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage firewall : file duck-firewall
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage transmit : file duck-transmit
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage drop : file duck-drop
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------

 

perhaps i might be wrong, but i do think that pa220 is not making requests to duckdns when i run test dns-proxy ddns update interface name vlan.10, and there is no ssl session for that matter to use certificate profiles. 

 

Based on my previous update and further digging, the PA was not initiating traffic due to incorrect (default) service route configuration. After changing the setting and placing vlan.10 instead of default value DuckDns started to update properly. 

DuckDns.png

L2 Linker

I originally tested without Cert Profile, thinking that PAN would use the the default Internet CA store, but this is not an option. You literally need to download and install the root CA (and intermediate) on PAN, which I think defeats the purpose of PAN-OS having a default CA store.  Once you have installed the root CA, then create a cert profile and add the root CA (and intermediate if applicable). I called it cert_profile_1 as I assume I would add more root CAs for other things in the future.  You do not need to add the web site cert. So all should be good unless the web site changes to a different root CA. It would be great if PA has the option to 'use default cert store' instead of an explicit cert profile.

Hi @johnwalshaw 

Setting the cert profile to none is not possible here, at least on 10.1.3

The error I get when saving the interface settings:
"Operation Failed ethernet1/1 -> layer3 -> ddns-config constraints failed : DDNS Cert Profile missing ethernet1/1 -> layer3 -> ddns-config is invalid"

Agreed and understood.  I updated my original post. I have tested DDNS successfully now.  Seems like a weird method considering there is a default CA store, which is inexplicably unavailable for a public internet public CA URL.

L2 Linker

My DuckDNS had stopped working some time ago and I finally did some troubleshooting today and found that the cert issuer has changed to Amazon so your cert profile needs to have the Amazon ROOT and INT CA's instead of Starfield now.

  • 18719 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!