PaloAlto and DNS

Reply
dtran
L3 Networker

PaloAlto and DNS

I have PAN running version 8.1.17 and it is configured with two DNS servers on the management interface, you know the usual, nothing special.  I have security and NAT rule on the PAN firewall the uses FQDN. 

 

Is there a way to detect when the PAN fails to query the DNS server?  Is there anything in the system log that will tell me the PAN can NOT resolve DNS queries because DNS servers are not available?

MP18
Cyber Elite

@dtran 

 

DNS is used by the Management plane and you will not see the logs in the system logs.

If you have two DNS servers configured for MP then if first one does not work it will try second.

 

To see the logs of the DNS server you this command

 

dmin@BMS> tcpdump filter "port 53"

Press Ctrl-C to stop capturing

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C6 packets captured

6 packets received by filter

0 packets dropped by kernel

admin@BMS> view-pcap mgmt-pcap mgmt.pcap 

16:27:32.181752 IP 192.168.1.10.51698 > 10.25.51.60.domain: 39467+ A? pool.ntp.org. (30)

16:27:32.181783 IP 192.168.1.10.51698 > 10.25.51.60.domain: 48046+ AAAA? pool.ntp.org. (30)

16:27:32.421488 IP 10.25.51.60.domain > 192.168.1.10.51698: 48046 0/1/0 (85)

16:27:32.421675 IP 10.25.51.60.domain > 192.168.1.10.51698: 39467 4/0/0 A 216.55.208.22, A 205.206.70.7, A 68.69.221.61, A 209.115.181.110 (94)

16:27:35.212415 IP 192.168.1.10.37727 > 10.25.51.60.domain: 1564+ [1au] AAAA? home-fw.ecobee.com. (47)

16:27:35.214506 IP 10.25.51.60.domain > 192.168.1.10.37727: 1564 1/1/1 CNAME home-fw.hm-prod.ecobee.com. (167)

 

Where 192.168.1.10 is  Management IP of the PA

10.25.51.50 is my Internal  DNS server.

 

Regards

MP
dtran
L3 Networker

I know how DNS works and I also know how tcpdump work but that is not my question. 

 

If the PAN can NOT communicate with DNS over the MP for FQDN resolution, will there any messages in the system log file that will tell me?  Apparently, I see messages in the system file for LDAP, but not DNS.  Why?

Hanoverr
L0 Member

Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name, such as www.paloaltonetworks.com, to an IP address so that users can access computers, websites, services, or other resources on the internet or private networks.

MickBall
L7 Applicator

seems i only get a resolve error... not an actual connection error....

 

MickBall_0-1607341458889.jpeg

 

MP18
Cyber Elite

 

@dtran  Seems this is by PA design 

If you wanna see failure logs for DNS server in system logs you can check with your SE and ask for feature request.

 

 

 

As @MickBall  mentioned you will only see logs for may show type :general and description description contains 'Connection to Update server closed: updates.paloaltonetworks.com, source: '

 

If you wanna see additional info you can check the 

ms.logs which is part of the management server logs, show it failed to check, but it does not give me any information about DNS failure

"error code-1" may indicate connection failure

020-12-12 14:36:15.666 -0800 Error: pan_mgmtop_support_check_handler(pan_ops_common.c:10318): Error removing file:/opt/pancfg/mgmt/global/supportinfo.xml.10277
2020-12-12 14:36:15.666 -0800 updater error code:-1
'cfg.platform.express-mode': NO_MATCHES
NO_MATCHES
NO_MATCHES
2020-12-12 14:37:31.116 -0800 ### MS-DB: RuleHit update: /opt/pancfg/mgmt/devices/localhost.localdomain/rule-hit-count-db.txt
2020-12-12 14:38:07.573 -0800 updater error code:-1

 

Hope this helps

 

Regards

MP
jdelio
Community Team Member

The question that I have, is exactly what is happening to you?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!