I configured a PA500 with Pan OS 4.1 wit the WAN interface as DHCP-Client and default route to this interface.
In DNS-Proxy settings I configured a DNS-Proxy with inherit source the wan if. Primary and secondary DNS is inherited and the dns proxy is aktivated for the internal interface. A firewall rule gives all users access to the dns-proxy for name resolution an the PA is allowed from wan to wan for dns. In traffic monitor I can see, that users gain acces to the dns proxy. But the PA want's to go out for dns resolution with the internal if. So I have to configure a rule to give the internal if access to external. Thats not practicible. At the and I hae to give 25 internal interfaces acces to external DNS.
On a second appliance without DHCP on the WAN-interface it works like expected. The PA works realy as a proxy. User have acces to the PA for DNS and the PA gos out for DNS Requests wit his external interfaces.
Thank you for the advise, I changed the interface to use for DNS request as the external one but in the logs, I still can see that the DNS request are from the internal interface (matching the security rule I've created for this purpose, i.e. interface interface to public DNS server).
I am running PAN-OS 4.1.0.
Thank you very much!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!