DNS not resolving for a website

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DNS not resolving for a website

L1 Bithead

Hi All,

 

I have been experiencing DNS resolution issue for one particular website on all the systems under our Palo Alto firewall network. However, it is working well on the systems under our Sophos network. 

At first, I checked the website category and found it falls under malware and gave an exception to it to be accessed on our network in the URL filtering, but no luck. Then, removed all the security profiles for the security rule that I am in and it didn't work either. In the meantime, I couldn't see any log in the traffic monitor. Then, I noticed the browser throwing this error "DNS_PROBE_FINISHED_NXDOMAIN" 

It doesn't make sense, as it worked well on other systems that run through Sophos but not with any of the systems with Palo Alto.

Please help me with this and let me know if I am missing something.

 

Thanks,

Jerome

2 accepted solutions

Accepted Solutions

@Jerome.j   I did request for site recategorize

 

Hope this helps you now

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

View solution in original post

L6 Presenter

Since you added a forward zone/resolution on your internal DNS server and it works, it sounds like your DNS server couldn't previously resolve that domain. Does your DNS server just forward requests to Google 8.8.8.8/etc. or does it actually work as a full recursive DNS server querying the SOA of the domain?

 

I suspect the later, in which case your DNS server was probably trying to resolve the domain from the SOA but couldn't connect. That sounds like the PaloAlto was blocking the DNS server's requests out to the internet, not the end user's browser. I.e. your client browser is trying to go to "blog.example.com" so the following happens:

1) The user types "blog.example.com" into the browser.

2) The client machine sends a DNS lookup request for the FQDN to your DNS server. (client -> dns:53)

3) The DNS server queries the root DNS servers and finds that the "example.com" SOA points to "ns.malware.test" (dns -> rootserver:53)

4) The DNS server then tries to query "ns.malware.test" for the FQDN "blog.example.com" but is blocked by the PaloAlto do to the destination. (dns -X-> ns.malware.test:53)

5) The DNS server is unable to resolve the domain so it sends a NXDOMAIN back to the client. (dns:53 -> client)

6) The browser display a DNS_PROBE_FINISHED_NXDOMAIN error to the user.

 

By putting a local forward zone into the DNS server, you have short-circuited steps #3-4 so the DNS server immediately returns the configured IP to the client in step #5 and the browser connects to that IP in step #6.

 

It is hard to guess at other people's PA configurations, but I would start looking in you logs for outbound connections from your DNS server to port 53 on internet hosts that may have been blocked (i.e. destination IP is in a blacklist, malicious IP EDL, country/region block, etc.). You can also use any one of many online tools to lookup the SOA of the domain you are having issues with, such as:

https://mxtoolbox.com/SOALookup.aspx

 

Once you know the SOA address, you can test whether connections from the DNS server to the SOA destination address it would be blocked by your filter rules: Policies -> Security -> Test Policy Match

View solution in original post

9 REPLIES 9

L6 Presenter

 That error means that the browser can not resolve an IP address for the name given... so the DNS is not working. If you do a nslookup for the name on a command line, what do you get? I am guess it is a "Non-existant domain" error. Does this extend to other internet names as well?

 

It sounds like you have DNS filtering in place somewhere that is blocking/filtering DNS responses (you can sinkhole DNS on the PaloAlto, but normally that returns an IP that directs to a blocked page or gets dropped, not return a not-resolved DNS error).

Hi Adrian,

 

I didn't configure any DNS filtering in the firewall. Other names are getting resolved without issues.

Then, I added a forward lookup zone for the website in our DNS server and added a host pointing to the site's public address. It worked fine and I let it be. 

Do I need to check anything on the firewall to access the website without that DNS host in the DNS server?

 

Thanks,

Jerome

@Jerome.j   I did request for site recategorize

 

Hope this helps you now

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

@Jerome.j   Also I have no issues while accessing this website

MP

Help the community: Like helpful comments and mark solutions.

L6 Presenter

Since you added a forward zone/resolution on your internal DNS server and it works, it sounds like your DNS server couldn't previously resolve that domain. Does your DNS server just forward requests to Google 8.8.8.8/etc. or does it actually work as a full recursive DNS server querying the SOA of the domain?

 

I suspect the later, in which case your DNS server was probably trying to resolve the domain from the SOA but couldn't connect. That sounds like the PaloAlto was blocking the DNS server's requests out to the internet, not the end user's browser. I.e. your client browser is trying to go to "blog.example.com" so the following happens:

1) The user types "blog.example.com" into the browser.

2) The client machine sends a DNS lookup request for the FQDN to your DNS server. (client -> dns:53)

3) The DNS server queries the root DNS servers and finds that the "example.com" SOA points to "ns.malware.test" (dns -> rootserver:53)

4) The DNS server then tries to query "ns.malware.test" for the FQDN "blog.example.com" but is blocked by the PaloAlto do to the destination. (dns -X-> ns.malware.test:53)

5) The DNS server is unable to resolve the domain so it sends a NXDOMAIN back to the client. (dns:53 -> client)

6) The browser display a DNS_PROBE_FINISHED_NXDOMAIN error to the user.

 

By putting a local forward zone into the DNS server, you have short-circuited steps #3-4 so the DNS server immediately returns the configured IP to the client in step #5 and the browser connects to that IP in step #6.

 

It is hard to guess at other people's PA configurations, but I would start looking in you logs for outbound connections from your DNS server to port 53 on internet hosts that may have been blocked (i.e. destination IP is in a blacklist, malicious IP EDL, country/region block, etc.). You can also use any one of many online tools to lookup the SOA of the domain you are having issues with, such as:

https://mxtoolbox.com/SOALookup.aspx

 

Once you know the SOA address, you can test whether connections from the DNS server to the SOA destination address it would be blocked by your filter rules: Policies -> Security -> Test Policy Match

Thank you @MP18. This is a much-needed one for me..

It is working fine for me now. Thanks @MP18 

Thanks @Adrian_Jensen I now get how it works and able to find out where it stuck. 

@Jerome.j  Thanks for letting us know.

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 7066 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!