Intercept DNS requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Intercept DNS requests

L2 Linker

Hi all,

I've read in an article that it's possible to intercept DNS requests with DNS proxy without setting PA IP address as the computer DNS Server.

Following this article, I've enabled DNS proxy in a PA interface (inside), redirecting DNS request to a public DNS server; I've set up a DNS proxy rule to try to intercept the requests (for example, *.google.*) and created a DNS static entry like this: www.google.es --> 1.1.1.1

But if I set up a public DNS server in my computer (8.8.8.8 or any other) the DNS request are not intercepted, only if a set up the PA interface IP as my DNS the DNS requests are resolved as I want.

Is there anything wrong in my configuration? Or DNS proxy interception isn't really working?

3 REPLIES 3

L6 Presenter

Is it possible to perhaps setup a DNAT rule so outgoing appid=dns (standard-ports) will be destination natted into the PAN interface facing the client sending the DNS request?

No, that's not possible because of the scenario. In this scenario, there are some networks that are sharing the network hardware but are isolated in a VLAN. We don't know which DNS configuration they have, but we want that if they need to access to certain web pages, the DNS resolution points directly to our DMZ instead the public IP address.

I know which PA interface they're using, the network adresses for this VLAN and the domains I need to proxy, but I don't know the DNS configuration (could be any public server); so I need to intercept their DNS requests to mydomain.com and resolve them with my internal DNS servers.

Is this possible?

Thanks!

Hi

the DNS proxy doesn't intercept DNS queries but functions as a proxy: clients will need to be configured to use the PA's interface as a proxy server so they forward their DNS queries to the PA. The PA can then be configured to resolve certain URL's to a specific IP or forward these to an internal DNS server and forward all the other requests on to an internet DNS (or to an internal one).

If you want to be able to intercept DNS queries to unknown DNS servers you may want to try setting up a NAT rule that forwards all udp 53 traffic to an internal destination (or the DNS proxy IP) if they are sourced from the specific vlan.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3207 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!