This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Intercept DNS requests

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Intercept DNS requests

dept_tec_bcn
L2 Linker

‎02-15-2012 03:00 PM

Hi all,

I've read in an article that it's possible to intercept DNS requests with DNS proxy without setting PA IP address as the computer DNS Server.

Following this article, I've enabled DNS proxy in a PA interface (inside), redirecting DNS request to a public DNS server; I've set up a DNS proxy rule to try to intercept the requests (for example, *.google.*) and created a DNS static entry like this: www.google.es --> 1.1.1.1

But if I set up a public DNS server in my computer (8.8.8.8 or any other) the DNS request are not intercepted, only if a set up the PA interface IP as my DNS the DNS requests are resolved as I want.

Is there anything wrong in my configuration? Or DNS proxy interception isn't really working?

1 person had this problem.
0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎02-15-2012 03:20 PM

Is it possible to perhaps setup a DNAT rule so outgoing appid=dns (standard-ports) will be destination natted into the PAN interface facing the client sending the DNS request?

0 Likes Likes

dept_tec_bcn
L2 Linker
In response to mikand

‎02-15-2012 03:38 PM

No, that's not possible because of the scenario. In this scenario, there are some networks that are sharing the network hardware but are isolated in a VLAN. We don't know which DNS configuration they have, but we want that if they need to access to certain web pages, the DNS resolution points directly to our DMZ instead the public IP address.

I know which PA interface they're using, the network adresses for this VLAN and the domains I need to proxy, but I don't know the DNS configuration (could be any public server); so I need to intercept their DNS requests to mydomain.com and resolve them with my internal DNS servers.

Is this possible?

Thanks!

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to dept_tec_bcn

‎02-22-2012 12:45 AM

Hi

the DNS proxy doesn't intercept DNS queries but functions as a proxy: clients will need to be configured to use the PA's interface as a proxy server so they forward their DNS queries to the PA. The PA can then be configured to resolve certain URL's to a specific IP or forward these to an internal DNS server and forward all the other requests on to an internet DNS (or to an internal one).

If you want to be able to intercept DNS queries to unknown DNS servers you may want to try setting up a NAT rule that forwards all udp 53 traffic to an internal destination (or the DNS proxy IP) if they are sourced from the specific vlan.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3943 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks