DNS Proxy Rule Isn't Working

Issue

The DNS proxy rule configured under the DNS proxy setting is not getting applied. In the example configuration below, all the requests are expected to be forwarded to server 1.1.1.1 for "yahoo.com" domain and subdomains. However, the traffic always go to 8.8.8.8.

The following errors are found in dnsproxyd.log:

mp\dnsproxyd.log 10-18 12:18:48 Error: pan_dnsproxyd_parse_service_route(pan_dnsproxyd_parse.c:119): Could not get ipv4 or ipv6 addr

mp\dnsproxyd.log 10-18 12:18:48 Error: pan_dnsproxyd_parse_instance(pan_dnsproxyd_parse.c:285): No ipv6list obj found

mp\dnsproxyd.log 10-18 12:18:48 Error: pan_dnsproxyd_parse_instance(pan_dnsproxyd_parse.c:285): No ipv6list obj found

mp\dnsproxyd.log 10-18 12:18:59 Error: pan_dnsproxyd_cmp_dnsproxy(pan_dnsproxyd_cfg.c:2554): old new rules doesn't match

Resolution

To configure the DNS proxy rule to work as expected, the domain name should have a the wildcard ('*') character in front of it. Otherwise the requests will not match the rule.

Verify the configuration by going to the DOS command line and setting the server to be the interface of the ethernet1/3 of the Palo Alto Networks firewall.

C:\Users\smith> nslookup

Default Server:  sjcdcvw01p.paloaltonetworks.local

Address:  10.0.0.246

> server 192.168.1.10   ----> IP of ethernet 1/3

Default Server:  [192.168.1.10]

Address:  192.168.1.10

> mail.yahoo.com

Server: 192.168.1.10

Address: 192.168.1.10

Non-authoritative answer:

Address: 1.1.1.1

owner: pvemuri