How to Configure Caching for the DNS Proxy

Palo Alto Firewalls can act as a DNS proxy and send the DNS queries on behalf of the clients. Workstations need to have the firewall's IP address configured as DNS server. The firewall uses the dataplane default route to reach the primary dns server configured in the DNS proxy settings. Caching can be configured globally and on a per domain basis as well.

To enable DNS Proxy:

1. Open the Network > DNS Proxy page and create a new DNS Proxy Object
2. In the DNS Proxy configuration, under the Advanced tab, the size of the cache as well as the length of time to cache entries can enabled and configured:

   

3. (Optional) Open the DNS Proxy Rules tab and configure the list of domain exceptions (In this example, yahoo.com would not be cached while techcrunch.com would remain in cache for 4 hours  or its TTL vaule as per the value configured in the screenshot above or for its TTL value which ever is lower.)

   

4. Commit
5. Configure workstation's DNS server to be the firewall's IP address that is in the same subnet as the workstations

To view the DNS Proxy cache information, run the command show dns-proxy cache all via the command line.

owner: sdurga