01-03-2024 11:53 PM
Hi All,
I have been experiencing DNS resolution issue for one particular website on all the systems under our Palo Alto firewall network. However, it is working well on the systems under our Sophos network.
At first, I checked the website category and found it falls under malware and gave an exception to it to be accessed on our network in the URL filtering, but no luck. Then, removed all the security profiles for the security rule that I am in and it didn't work either. In the meantime, I couldn't see any log in the traffic monitor. Then, I noticed the browser throwing this error "DNS_PROBE_FINISHED_NXDOMAIN"
It doesn't make sense, as it worked well on other systems that run through Sophos but not with any of the systems with Palo Alto.
Please help me with this and let me know if I am missing something.
Thanks,
Jerome
01-05-2024 09:52 AM
@Jerome.j I did request for site recategorize
Hope this helps you now
Regards
01-05-2024 10:19 AM
Since you added a forward zone/resolution on your internal DNS server and it works, it sounds like your DNS server couldn't previously resolve that domain. Does your DNS server just forward requests to Google 8.8.8.8/etc. or does it actually work as a full recursive DNS server querying the SOA of the domain?
I suspect the later, in which case your DNS server was probably trying to resolve the domain from the SOA but couldn't connect. That sounds like the PaloAlto was blocking the DNS server's requests out to the internet, not the end user's browser. I.e. your client browser is trying to go to "blog.example.com" so the following happens:
1) The user types "blog.example.com" into the browser.
2) The client machine sends a DNS lookup request for the FQDN to your DNS server. (client -> dns:53)
3) The DNS server queries the root DNS servers and finds that the "example.com" SOA points to "ns.malware.test" (dns -> rootserver:53)
4) The DNS server then tries to query "ns.malware.test" for the FQDN "blog.example.com" but is blocked by the PaloAlto do to the destination. (dns -X-> ns.malware.test:53)
5) The DNS server is unable to resolve the domain so it sends a NXDOMAIN back to the client. (dns:53 -> client)
6) The browser display a DNS_PROBE_FINISHED_NXDOMAIN error to the user.
By putting a local forward zone into the DNS server, you have short-circuited steps #3-4 so the DNS server immediately returns the configured IP to the client in step #5 and the browser connects to that IP in step #6.
It is hard to guess at other people's PA configurations, but I would start looking in you logs for outbound connections from your DNS server to port 53 on internet hosts that may have been blocked (i.e. destination IP is in a blacklist, malicious IP EDL, country/region block, etc.). You can also use any one of many online tools to lookup the SOA of the domain you are having issues with, such as:
https://mxtoolbox.com/SOALookup.aspx
Once you know the SOA address, you can test whether connections from the DNS server to the SOA destination address it would be blocked by your filter rules: Policies -> Security -> Test Policy Match
01-04-2024 09:34 AM
That error means that the browser can not resolve an IP address for the name given... so the DNS is not working. If you do a nslookup for the name on a command line, what do you get? I am guess it is a "Non-existant domain" error. Does this extend to other internet names as well?
It sounds like you have DNS filtering in place somewhere that is blocking/filtering DNS responses (you can sinkhole DNS on the PaloAlto, but normally that returns an IP that directs to a blocked page or gets dropped, not return a not-resolved DNS error).
01-05-2024 04:24 AM
Hi Adrian,
I didn't configure any DNS filtering in the firewall. Other names are getting resolved without issues.
Then, I added a forward lookup zone for the website in our DNS server and added a host pointing to the site's public address. It worked fine and I let it be.
Do I need to check anything on the firewall to access the website without that DNS host in the DNS server?
Thanks,
Jerome
01-05-2024 09:52 AM
@Jerome.j I did request for site recategorize
Hope this helps you now
Regards
01-05-2024 09:58 AM
@Jerome.j Also I have no issues while accessing this website
01-05-2024 10:19 AM
Since you added a forward zone/resolution on your internal DNS server and it works, it sounds like your DNS server couldn't previously resolve that domain. Does your DNS server just forward requests to Google 8.8.8.8/etc. or does it actually work as a full recursive DNS server querying the SOA of the domain?
I suspect the later, in which case your DNS server was probably trying to resolve the domain from the SOA but couldn't connect. That sounds like the PaloAlto was blocking the DNS server's requests out to the internet, not the end user's browser. I.e. your client browser is trying to go to "blog.example.com" so the following happens:
1) The user types "blog.example.com" into the browser.
2) The client machine sends a DNS lookup request for the FQDN to your DNS server. (client -> dns:53)
3) The DNS server queries the root DNS servers and finds that the "example.com" SOA points to "ns.malware.test" (dns -> rootserver:53)
4) The DNS server then tries to query "ns.malware.test" for the FQDN "blog.example.com" but is blocked by the PaloAlto do to the destination. (dns -X-> ns.malware.test:53)
5) The DNS server is unable to resolve the domain so it sends a NXDOMAIN back to the client. (dns:53 -> client)
6) The browser display a DNS_PROBE_FINISHED_NXDOMAIN error to the user.
By putting a local forward zone into the DNS server, you have short-circuited steps #3-4 so the DNS server immediately returns the configured IP to the client in step #5 and the browser connects to that IP in step #6.
It is hard to guess at other people's PA configurations, but I would start looking in you logs for outbound connections from your DNS server to port 53 on internet hosts that may have been blocked (i.e. destination IP is in a blacklist, malicious IP EDL, country/region block, etc.). You can also use any one of many online tools to lookup the SOA of the domain you are having issues with, such as:
https://mxtoolbox.com/SOALookup.aspx
Once you know the SOA address, you can test whether connections from the DNS server to the SOA destination address it would be blocked by your filter rules: Policies -> Security -> Test Policy Match
01-06-2024 12:52 AM
Thank you @MP18. This is a much-needed one for me..
01-08-2024 09:48 PM
It is working fine for me now. Thanks @MP18
01-08-2024 09:52 PM
Thanks @Adrian_Jensen I now get how it works and able to find out where it stuck.
01-09-2024 07:06 AM
@Jerome.j Thanks for letting us know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
