what is the concept of DNS-proxy?

L3 Networker

what is the concept of DNS-proxy?

Hi all.

Id like to configure and know DNS proxy.

Domo customer wants to configure DNS proxy.

So I was read a PA 4.0 administration guide but I cant understand completely.

What concept does DNS-proxy has??

is it mapped between internal DNS and external DNS?

If I will make a DNS-proxy rule, is it possible to connect internet with internal DNS server?

When do I use the DNS-proxy?

The customer has internal DNS Server but this server cant connect to external network including public DNS Server because of security issue.

So this internal DNS cannot update DNS information due to network communication problem.

Clients must use internal DNS for internal communication.

is DNS-proxy appropriate way to communication with Internet, at this environment?

Please explain me how to configure DNS proxy, If it is appropriate way.

Administration guide is not enough to understand.

Thanks and regards,


L7 Applicator

Hi Eugene

the DNS proxy is a stub resolver, this means it can receive and forward DNS queries to other (authoritative or recursive) DNS servers but can't act on its own.

it enables you to reroute requests for certain zones to a DNS server of your choosing, and forward everything else to a different DNS

a good example would be servers in a DMZ that need to know certain internal zones, but you don't want them accessing the internal DNS server directly.

if you setup a DNS proxy that reroutes for example localzone.local to your internal DNS server, and forwards everything else to the external DNS, you make sure other zone information on your internal DNS servers is kept secret from the DMZ servers.

it can also be set up to connect internal DNS servers with external ones, if you don't want them directly connecting to eachother, or if the internal DNS servers are not allowed outside of the network, as in your example


Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L1 Bithead

I used the DNS proxy so my internal Windows DNS servers only communicate with the Palo Alto DNS Proxy and not directly with Internet DNS servers.

Setup DNS Proxy with a primary and secondary iInternet DNS server.

Setup security rule allowing DNS to trusted interface and out untrusted.

Windows DNS forwarded to trusted interface.

Windows DNS checked do not use recusion for this domain.

Not applicable

How does this work with NAT?  Does this feature work like the Ciso DNS rewrite?

Thank you,


L7 Applicator

the DNS proxy will behave like service routes: it will use the interface IP of it's eggress interface as source IP and the VR as routing table

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!