Hi @popoymaster ,
It is sufficient for the DNS traffic to go through the PA. You can configure the remote sites to use the DNS servers at the hub. It is very important that the Anti-Spyware profiles are applied to the traffic.
Just a side note : make sure all DNS queries are seen by the firewall, not only the request on udp/53.
(thinking about DoH / DoT, more info here https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/3...)
I never said it is not possible 🙂
(on the webUI, in network, you have "DNS Proxy").
And Tom suggested there was no requirement for carrying the DNS service, as long the firewalls inspect the traffic, DNS Security (if licensed) can inspect the queries and sinkhole risky domain names.
The issue I raised : if an user (tech-savy) changed the DNS, you lost the control on those traffic.
(and actually, an attacker on a compromised machine can change it as well).
That is what exactly we want to implement, to push the traffic from remote sites going to the HUB, and let the Palo Alto do DNS Sinkholing (Licensed).
So my question is how? I am thinking to provision a DNS Server in the HUB, then that DNS Server push the DNS Query through PA for inspection.
I don't see any issue then.
You make sure the traffic is going to the Central site (static default route or advertising the default route over some routing protocol between the central site and the remote sites)
And you simply have to set the anti-spyware profile for the traffic (remote site> any) on the PANW firewall.
The DNS Sec is configured in the anti-spyware profile.
Also if you have read the link I shared earlier, you may take measure regarding DoH and DoT.
Our VPN concentrator is Fortigate, it has 2 vlans, Internal and Transport.
Internal where the DNS Server resides.
Transport is connecting to the Inside interface of the Palo Alto.
Now, how is it possible to forward the traffic from Internal DNS Server and point to Palo Alto for DNS Security Filtering?
If you are not backhauling all the traffic from the remote offices then you should have all the security features enabled on all of the Palo Alto's. In this case all will be able to perform threat detection etc. Here is a video for secure DNS made a few years ago that will work regardless if you backhaul or dont. Just make sure to use the secure DNS providers IP's for DNS.
You dont need a license to use the basic features of Umbrella, eg already known bad sites. You just dont get a dashboard and customizable DNS filtering. From my understanding of the topology, not all the sites have Palo Alto devices. In this case, I would recommend a backhaul to the central site and let that device handle all the filtering etc. This is a common practice to save on costs at the remote offices, just increase bandwidth at the central location (bandwidth is cheap compared to all the licensing costs for each site). Also can help if you have any type of regulations you need to adhere to since all sites now have a secure and filtered connection to the internet. Here is what CISA has to say about this topology: https://www.cisa.gov/resources-tools/resources/trusted-internet-connections-tic-30-core-guidance-doc...
Here is another write up about zero trust that you might have a look at: https://skrzsecurity.net/zero-trust
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!