Palo Alto Networks Knowledgebase: How to Configure DNS Proxy on a Palo Alto Networks Firewall
How to Configure DNS Proxy on a Palo Alto Networks Firewall
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
This document describes how to enable, configure, and verify the DNS Proxy feature on a Palo Alto Networks firewall.
On the Web UI:
Navigate to Network > DNS Proxy.
Click Add to bring up the DNS Proxy dialog.
Select the interfaces on which DNS proxy should be enabled. In the below figure the DNS proxy is enabled on interfaces ethernet 1/2 and 1/3.
Select the primary and secondary servers where the firewall should forward DNS queries. The example shows a configuration where DNS proxy is enabled on the ethernet 1/2 and 1/3 interfaces. The primary DNS server is configured with 10.0.0.246.
Static entries can be added to the DNS proxy. Enter the FQDN and associated address information in the Static Entries tab.
Note: If a DNS entry is not found in the cache, then the domain is matched against the static entries list. If a match occurs, then the corresponding address is served. If there is no match, the DNS request is forwarded to the configured Primary or Secondary DNS servers. The source of the DNS query is the ingress interface of DNS request which, in this case, would be either ethernet1/2 or ethernet1/3.
By configuring rules under the DNS Proxy Rules tab, the Palo Alto Networks firewall can forward selective domains to DNS servers different from the configured primary and secondary. The example shows a DNS proxy rule where techcrunch.com is forwarded to a DNS server at 10.0.0.36.
Note: The Palo Alto Networks firewall can also perform reverse DNS proxy lookup. On the client side, configure the DNS server settings on the clients with the IP addresses of the interfaces where DNS proxy is enabled.
On the CLI:
# set network dns-proxy dnsruletest interface ethernet1/2 enabled yes
# set network dns-proxy dnsruletest default primary 10.0.0.246
22.214.171.124.in-addr.arpa b.resolvers.level3.net PTR IN 60598 1
For more debugging information, look at the dnsproxyd.log:
> tail follow yes mp-log dnsproxyd.log
By default, same zone traffic is allowed, however, if there is a "deny all" rule set, then a security rule is required to allow traffic. Add a security rule to allow DNS traffic.
Note: DNS proxy rules do not apply to traffic initiated from the firewall's management interface. For example: From the management interface, an attempt to ping something defined in the DNS proxy does not use the DNS proxy rule, but rather the DNS values from the server instead.