I configured a PA500 with Pan OS 4.1 wit the WAN interface as DHCP-Client and default route to this interface.
In DNS-Proxy settings I configured a DNS-Proxy with inherit source the wan if. Primary and secondary DNS is inherited and the dns proxy is aktivated for the internal interface. A firewall rule gives all users access to the dns-proxy for name resolution an the PA is allowed from wan to wan for dns. In traffic monitor I can see, that users gain acces to the dns proxy. But the PA want's to go out for dns resolution with the internal if. So I have to configure a rule to give the internal if access to external. Thats not practicible. At the and I hae to give 25 internal interfaces acces to external DNS.
On a second appliance without DHCP on the WAN-interface it works like expected. The PA works realy as a proxy. User have acces to the PA for DNS and the PA gos out for DNS Requests wit his external interfaces.
Thank you for the advise, I changed the interface to use for DNS request as the external one but in the logs, I still can see that the DNS request are from the internal interface (matching the security rule I've created for this purpose, i.e. interface interface to public DNS server).
I am running PAN-OS 4.1.0.
Thank you very much!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!