FQDN objects not refreshed when service route set for Primary/Secondary DNS

FQDN objects not refreshed when service route set for Primary/Secondary DNS

54625
Created On 09/25/18 19:47 PM - Last Modified 06/15/23 21:34 PM


Symptom


Symptoms

If you set a service routes for the system's DNS servers, FQDN refresh does not work for your security policy address objects.

 

For example:

 Original1_1.png

 

 

Diagnosis

  •  Confirm if Ping to the FQDN hosts and DNS servers from source address
  •  Execute "request system fqdn refresh force yes" and wait until FqdnRefresh job is finished
  •  Check "request system fqdn show" outputs, it will show "Not resolved" as below

 

admin@VM-3> show jobs all
 
Enqueued                     ID             Type    Status Result Completed
--------------------------------------------------------------------------
2016/09/30 10:51:03          52      FqdnRefresh       FIN     OK 10:51:33
 
admin@VM-3> request system fqdn show
 
FQDN Table : Last Request time Fri Sep 30 10:51:03 2016--------------------------------------------------------------------------------
                      IP Address     Remaining TTL     Secs Since Refreshed
--------------------------------------------------------------------------------
VSYS  : vsys1 (using mgmt-obj dnsproxy object)
 
www.google.com  (Objectname google.com):
 
                    Not resolved
 
www.yahoo.co.jp  (Objectname yahoo.co.jp):
 
                    Not resolved
 
VSYS  : shared (using mgmt-obj dnsproxy object)

 

Resolution


Workaround:

  •  Create a DNSProxy Object with no interface assigned to it and having the DNS Servers
  •  In Device -> Setup -> Services, set DNS setting to use the created DNSProxy Object instead of the DNS Server

 

Original2_2.png

 

Original3_2.png

Now FQDN address objects will retrieve the IPv4/v6 addresses from DNS server

 

admin@VM-3> show jobs all
 
Enqueued                     ID             Type    Status Result Completed
--------------------------------------------------------------------------
2016/09/30 11:15:18          54      FqdnRefresh       FIN     OK 11:15:32
 
admin@VM-3> request system fqdn show
 
FQDN Table : Last Request time Fri Sep 30 11:15:18 2016
--------------------------------------------------------------------------------
                      IP Address     Remaining TTL     Secs Since Refreshed
--------------------------------------------------------------------------------
VSYS  : vsys1 (using Workaround_DNSProxy dnsproxy object)
 
www.google.com  (Objectname google.com):
 
                  216.58.200.196                17                       15
   2404:6800:4004:80f:0:0:0:2004                17                       15
 
www.yahoo.co.jp  (Objectname yahoo.co.jp):
 
                   182.22.70.252                -3                       15
                   182.22.71.250                -3                       15
                   182.22.71.251                -3                       15
                   182.22.71.252                -3                       15
 
VSYS  : shared (using Workaround_DNSProxy dnsproxy object) 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldMCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language