Scenario: We have the web server for example.com in trust zone, Any person can access it by anywhere due to destination NAT in firewall with public IP for example.com.
Problem : As we don't have internal DNS server which resolves the example.com, due to this all the request from LAN to example.com is going to internet(public DNS) and coming back to our DMZ, huge traffic.
Is it possible ? : When the request traffic for example.com hits the LAN interface then that traffic should get redirected back to the server hosted internally through the same LAN interface.
Thank you in advance,...
As per my understanding, the Palo Alto Networks firewall cannot be used as a DNS Server. The firewall can, however, point to DNS server as a DNS Proxy.:
The primary problem is, the end user machine will directly send the DNS request to the external server ( not to the PAN firewall).
You can add a NAT rule so that the traffic from an internal network to one of your public IP addresses is translated to an internal address.
Name: Example DNS Fixup
Source zone: Inside
Destination zone: Outside
Destination address: (specify the public IP address)
Destination translation: (specify the internal IP address)
You can specify multiple source zones. And, good management practices would also use address object names rather than bare IP addresses. For us, we also append "_ref" to the names of our public addresses. That provides a quick sanity check on internal versus external addresses.
Just for testing, could you please configure DNS proxy on the PAN firewall and add a static entry for www.example.com.
Hope this helps.
The feature you really want is called DNS doctoring. With DNS doctoring when you configure a nat the firewall with "doctor" the DNS response from internal clients to present your internal ip address instead of the public one. DNS doctoring is not yet a feature on the Palo Alto. Contact your sales team and ask if there is a Feature Request pending you can add a vote for.
In the mean time, if you setup DNS proxy from the link Hulk provided, you can perform the following steps to have your setup act as desired.
1-configure the DNS proxy
2-add static entries (step 5 in the documentation) with the internal address for all your server resources
3-change you DHCP server to present the PA as the DNS server for your LAN
4-update any static computers to use the PA for DNS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!