Palo Alto Networks Knowledgebase: DNS rewrite on a Palo Alto Networks firewall

DNS rewrite on a Palo Alto Networks firewall

8239
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:05 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

DNS rewrite (DNS doctoring) is a capability that some NAT devices offer in order to translate the DNS A-record for a particular DNS query. The Palo Alto Networks firewall as of now does not support the DNS doctoring feature, but there are a few workarounds that can be used. 

 

Some scenarios in which DNS doctoring applies.

 

Scenario 1: 

External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall. 

 

Screen Shot 2016-03-30 at 9.04.24 am.png 

 

Traffic Flow in this case:

  1. In the above case, DNS server 4.2.2.2 replies to the DNS query of the client with the public IP of the Web server, for example 198.51.100.3.
  2. The client now accesses the web server on the public IP and forwards that request to the Firewall. 
  3. The firewall tries to do route lookup for 198.51.100.3 IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.

 

A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.

 

Workarounds

  1. Configure the client to use the firewall as DNS proxy, and on Firewall configure a static entry for www.example.com as 10.1.1.3. For all other lookups the firewall can use 4.2.2.2 as the DNS server. How to Configure DNS Proxy on a Palo Alto Networks Firewall   OR
  2. Use U-Turn NAT, thereby forwarding the traffic from the client to the Server: How to Configure U-Turn NAT

 

Scenario 2:

Internal DNS server is returning private IP address of application server to both Internal and external users.

 

Screen Shot 2016-03-30 at 9.04.36 am.png

The external user will not be able to access the server, since it will get the private IP address of the Web Server.

  

Workaround

  1. Add a secondary DNS server (preferably in a DMZ zone) to serve external clients with a public IP address to the server.
  2. Change the DNS Server’s A record to use the public IP of the Web Server, and then use the U Turn NAT solution as in Case 1 for the internal Client to be able to access the Web Server.
  3. Some DNS servers, like bind9, can serve different records depending on the source IP of the requestor

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfjCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language