Windows DNS Server behind PA

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows DNS Server behind PA

Not applicable

Did a PA install last night, the client had a public facing DNS server. the DNS server had a public IP before we moved it behind PA to nat it. while it was outside firewall with public IP the DNS queries from internet worked fine without any issues. Once we moved it behind PA and gave it static one-to-one nat with proper security policies for dns tcp and udp port 53 then DNS queries from the internet stopped working. I did see traffic hitting the PA and passed to the internet server properly with proper natting but dns would not work. The server also had ftp and web server and those services worked fine from internet.

Had to move the server back outside the PA to continue service but need to know how to fix this before moving it behind PA again.

So quesiton is, what is PA doing differently with DNS? how can I publish Microsoft DNS server running on windows 2003 Server to the internet? I did proper nat and security policies for the IP and port traffic but no luck. Am I missing something? any help would be greatly appreciated. thanks,



L4 Transporter

Just saying "I did proper NAT and security policies" doesn't really help us honestly... do you have screenshots of your rules?

You could possibly try to build an app override for TCP port 53 and UDP port 53 and apply them to the security rule you built, just to rule out the App-ID engine being the problem.

unortunately I am not on site today to be able to take screen shots or get logs info. but just a general question, is there anything special or specific that needs to be done on PA devices to publish DNS servers?

Not that I'm aware of honestly... if you allow the App-ID DNS inbound it should "just work" in theory.

so you suggest allowing App-ID DNS instead of service tcp/udp port 53 inbound?

For what it is worth, I have been running Microsoft DNS servers behind the Palo Alto firewall for quite some time.  These are in my DMZ, exposed to the Internet, and allow resolution of a few of our DNS zones.  I'm currently running Microsoft server 2012 on these DNS servers.

The Palo Alto firewall rule is nothing special.  It is your typical rule to allow incoming traffic, and allows UDP port 53 as a service.  I have application set to any.

I have manually configured bi-directional NAT so that inbound and outbound traffic all originates from and terminates to the same public IP address.

One thing that got me when I first setup this up was I forgot to go into the Windows server firewall rules and allow DNS from networks other than the one the server was on.

App-ID DNS and "application default" for the service should let DNS in... at least I've not seen PA mis-identify DNS traffic in the past for me.

just came across this...

I wonder if this was causing the problems. will try it in next maintenance window

Hi KillerKhan,

  did you fix your issue? I am facing your same problem with an infoblox device I need to publish behind a PAVM via PAT on dns53UDP.

Despite I did the right rule, no dns traffic is redirected to the PAN interface...


walter doria


You should have no problem, you probably misconfigured a NAT rule or the associated Security rule.

You should try not to use a Bi-direction NAT but 2 NAT rules and double check your Security rule (remember the trick for destination NATs).

probably not but if you want the traffic logs will show bytes sent  / recv sizes.

more than likely a nat misconfiguration.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!