When trying to enable Anti-Spyware on the Palo Alto Networks firewall with DNS proxy enabled, the user may experience DNS requests being denied across the entire network if it is not set up correctly. This is because of how Palo Alto Networks devices handle DNS requests and how Palo Alto Networks block suspicious DNS queries (enabled in Anti-Spyware profiles). This document will address why this issue occurs and how to resolve them.
Environment
Palo Alto Firewall.
PAN-OS 8.1 and above.
DNS Proxy enabled.
Anti-Spyware configuration.
Cause
The issue is caused by the Palo Alto Network device trying to block its only session for DNS queries to the external DNS server. If setting up an Anti-Spyware profile to block suspicious DNS queries (including the default 'strict' object), the firewall will put the offending DNS session into a DISCARD state. This means that all DNS traffic from the device that has been blocked, from that time forward it will be dropped until the session times out, or is manually cleared. Wanted DNS queries will be blocked when the users apply an Anti-Spyware profile configured to block these DNS queries from a trust (internal) zone to untrust (external) zone Security Policy [See Diagram 1.0]. The following is an illustration of the flow a packet would take if configured with a Security Policy, similar to the one listed above [See Diagram 1.1]. This will cause all DNS queries going from the Palo Alto Networks firewall to the DNS server to be denied after a suspicious DNS query is detected; even the wanted ones.
Resolution
Configure two policies as shown below (see diagram 2.0). The first policy will allow these DNS queries from the user's firewall to the internet. This will prevent a DISCARD session from being formed that will block all DNS queries for the entire network. The second policy will state to perform the Anti-Spyware profile on the traffic going from the clients to the firewall instead. This will allow blocking suspicious DNS queries for specific clients, and not block DNS queries for the entire network.