How does dns-proxy in Vsys Configuration works?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How does dns-proxy in Vsys Configuration works?

L5 Sessionator

I'm trying to use different dns server for FQDN objects in each vsys.

My platform is PA5020 v4.0.9., and I can see dns-proxy field in vsys creation window.

According to the explanation in '?' help page, it says something about interface.

Which interface does it point?

What is the difference between interface in dns-proxy config window and this?

If someone knows the solution, please help me.

Regards,

Emr

1 accepted solution

Accepted Solutions

L6 Presenter

The interfaces in your WS000016.JPG screenshot are which interfaces that should belong to the particular VSYS (and have nothing to do with dns-proxy to my knowledge).

Like if you want to have:

VSYS0: int0/1, int0/2, int0/3
VSYS1: int0/4, int0/5, int0/6
VSYS2: int0/7, int0/8, int0/9

The dns-proxy setting is which dns-proxy setup you wish to attach to the particular VSYS.

The other screenshot, WS000017.JPG, displays a particular dns-proxy (in this case named "google") and the interfaces here are which interfaces this dns-proxy should be attached to.

The reason for why there is an interface configuration for the dns-proxy is simply because if you have lets say WAN, LAN and DMZ as interfaces in your PAN (or VSYS in your PAN) then I would assume you would want to use dns-proxy on the LAN-interface and not on the WAN-interface (that is incoming dns-packets on LAN should be modified according to the dns-proxy setting).

So for example...

If you for VSYS0 setup the following interfaces:

VSYS0: int0/1, int0/2, int0/3

and choose to use the "google" dns-proxy, then when you configure this "google" dns-proxy you should only be able to choose between int0/1, int0/2 and int0/3.

But from what I understand with your first sentence is that you want to use different dns-server(s) for different VSYS when you configure security rules etc regarding objects based on FQDN instead of ipaddress.

Unfortunately I dont think this is currently possible. Simply because the VSYS stuff is only to segment the dataplane - you will still have only one mgmtplane for all the VSYS.

You setup which dnsservers the mgmtplane should use in Device -> Setup -> Services and can also configure which interfaces should be used (for example if your dnsserver for FQDN lookups during configuration isnt avaiable on the mgmtinterface but rather on int0/3 or whatever) in Service Route Configuration.

So I think you will have to file this as a feature request to your sales rep that you want to be able to segment the mgmtplane aswell (or at least be able to do this for the dnsconfiguration of Device -> Setup -> Services).

Also note that (at least by my opinion Smiley Happy ) you should avoid using FQDN for network objects in your configuration.

That is not only because your firewall will then rely on the output from the dnsserver when you configure (imagine what would happen if someone modifies your dns to return "0.0.0.0" for a particular host?) but also because the mgmtplane will only query your dns for FQDN during commit and translate each FQDN into an ipaddress which is then loaded into the fpga/asic.

This means that if you commit at lets say 12:00 oclock and then modify your dns at 12:01 oclock the firewall will still only allow (or deny depending on the rule) traffic for the old ip.

View solution in original post

2 REPLIES 2

L6 Presenter

The interfaces in your WS000016.JPG screenshot are which interfaces that should belong to the particular VSYS (and have nothing to do with dns-proxy to my knowledge).

Like if you want to have:

VSYS0: int0/1, int0/2, int0/3
VSYS1: int0/4, int0/5, int0/6
VSYS2: int0/7, int0/8, int0/9

The dns-proxy setting is which dns-proxy setup you wish to attach to the particular VSYS.

The other screenshot, WS000017.JPG, displays a particular dns-proxy (in this case named "google") and the interfaces here are which interfaces this dns-proxy should be attached to.

The reason for why there is an interface configuration for the dns-proxy is simply because if you have lets say WAN, LAN and DMZ as interfaces in your PAN (or VSYS in your PAN) then I would assume you would want to use dns-proxy on the LAN-interface and not on the WAN-interface (that is incoming dns-packets on LAN should be modified according to the dns-proxy setting).

So for example...

If you for VSYS0 setup the following interfaces:

VSYS0: int0/1, int0/2, int0/3

and choose to use the "google" dns-proxy, then when you configure this "google" dns-proxy you should only be able to choose between int0/1, int0/2 and int0/3.

But from what I understand with your first sentence is that you want to use different dns-server(s) for different VSYS when you configure security rules etc regarding objects based on FQDN instead of ipaddress.

Unfortunately I dont think this is currently possible. Simply because the VSYS stuff is only to segment the dataplane - you will still have only one mgmtplane for all the VSYS.

You setup which dnsservers the mgmtplane should use in Device -> Setup -> Services and can also configure which interfaces should be used (for example if your dnsserver for FQDN lookups during configuration isnt avaiable on the mgmtinterface but rather on int0/3 or whatever) in Service Route Configuration.

So I think you will have to file this as a feature request to your sales rep that you want to be able to segment the mgmtplane aswell (or at least be able to do this for the dnsconfiguration of Device -> Setup -> Services).

Also note that (at least by my opinion Smiley Happy ) you should avoid using FQDN for network objects in your configuration.

That is not only because your firewall will then rely on the output from the dnsserver when you configure (imagine what would happen if someone modifies your dns to return "0.0.0.0" for a particular host?) but also because the mgmtplane will only query your dns for FQDN during commit and translate each FQDN into an ipaddress which is then loaded into the fpga/asic.

This means that if you commit at lets say 12:00 oclock and then modify your dns at 12:01 oclock the firewall will still only allow (or deny depending on the rule) traffic for the old ip.

Hi mikand,

Thanks!

I understand about dns-proxy.

  • 1 accepted solution
  • 3592 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!