How to Configure DNS Proxy on a Palo Alto Networks Firewall

How to Configure DNS Proxy on a Palo Alto Networks Firewall

Created On 09/25/18 17:27 PM - Last Modified 10/11/23 16:04 PM



This document describes how to enable, configure, and verify the DNS Proxy feature on a Palo Alto Networks firewall.




On the Web UI:

  1. Navigate to Network > DNS Proxy.
  2. Click Add to bring up the DNS Proxy dialog.
  3. Select the interfaces on which DNS proxy should be enabled. In the below figure the DNS proxy is enabled on interfaces ethernet 1/2 and 1/3.
  4. Select the primary and secondary servers where the firewall should forward DNS queries.
    The example shows a configuration where DNS proxy is enabled on the ethernet 1/2 and 1/3 interfaces. The primary DNS server is configured with
    Screen Shot 2013-02-07 at 12.22.20 AM.png
  5. Static entries can be added to the DNS proxy. Enter the FQDN and associated address information in the Static Entries tab.
  6. The Palo Alto Networks firewall can be configured to cache the results obtained from the DNS servers. For information on configuring DNS caching, refer to How to Configure Caching for the DNS Proxy.

    Note: If a DNS entry is not found in the cache, then the domain is matched against the static entries list. If a match occurs, then the corresponding address is served. If there is no match, the DNS request is forwarded to the configured Primary or Secondary DNS servers. The source of the DNS query is the ingress interface of DNS request which, in this case, would be either ethernet1/2 or ethernet1/3.
  7. By configuring rules under the DNS Proxy Rules tab, the Palo Alto Networks firewall can forward selective domains to DNS servers different from the configured primary and secondary. The example shows a DNS proxy rule where is forwarded to a DNS server at
    Screen Shot 2013-02-07 at 12.38.37 AM.png

Note: The Palo Alto Networks firewall can also perform reverse DNS proxy lookup. On the client side, configure the DNS server settings on the clients with the IP addresses of the interfaces where DNS proxy is enabled.


On the CLI:

> configure

# set network dns-proxy dnsruletest interface ethernet1/2 enabled yes

# set network dns-proxy dnsruletest default primary

# set network dns-proxy dnsruletest static-entries tss domain address

# set network dns-proxy dnsruletest domain-servers test cacheable no primary domain-name

# commit




Verify the DNS proxy using the following commands:

> show dns-proxy statistics all


Name: dnsruletest

Interfaces: ethernet1/2 ethernet1/3 ethernet1/4


  Queries received from hosts:12

  Responses returned to hosts:12

  Queries forwarded to servers:6

  Responses received from servers:6

  Queries pending:0





> show dns-proxy cache all


Name: dnsruletest

Cache settings:

  Size:1024 entries

  Timeout:14400 seconds


Domain                 IP/Name                 Type  Class     TTL       Hits

------------------------------------------------------------------------------   PTR    IN      60598      1


For more debugging information, look at the dnsproxyd.log:

> tail follow yes mp-log dnsproxyd.log


By default, same zone traffic is allowed, however, if there is a "deny all" rule set, then a security rule is required to allow traffic.  Add a security rule to allow DNS traffic.


Note: DNS proxy rules do not apply to traffic initiated from the firewall's management interface.  For example: From the management interface, an attempt to ping something defined in the DNS proxy does not use the DNS proxy rule, but rather the DNS values from the server instead.


See Also

Can Management Interface use DNS Proxy Rules And Static Entries through DNS Proxy Object?

Blocking Suspicious DNS Queries with DNS Proxy Enabled


owner: sdurga

  • Print
  • Copy Link

Choose Language