Palo Alto Networks Knowledgebase: DNS rewrite on a Palo Alto Networks firewall

DNS rewrite on a Palo Alto Networks firewall

Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:05 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection

DNS rewrite (DNS doctoring) is a capability that some NAT devices offer in order to translate the DNS A-record for a particular DNS query. The Palo Alto Networks firewall as of now does not support the DNS doctoring feature, but there are a few workarounds that can be used. 


Some scenarios in which DNS doctoring applies.


Scenario 1: 

External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall. 


Screen Shot 2016-03-30 at 9.04.24 am.png 


Traffic Flow in this case:

  1. In the above case, DNS server replies to the DNS query of the client with the public IP of the Web server, for example
  2. The client now accesses the web server on the public IP and forwards that request to the Firewall. 
  3. The firewall tries to do route lookup for IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.


A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.



  1. Configure the client to use the firewall as DNS proxy, and on Firewall configure a static entry for as For all other lookups the firewall can use as the DNS server. How to Configure DNS Proxy on a Palo Alto Networks Firewall   OR
  2. Use U-Turn NAT, thereby forwarding the traffic from the client to the Server: How to Configure U-Turn NAT


Scenario 2:

Internal DNS server is returning private IP address of application server to both Internal and external users.


Screen Shot 2016-03-30 at 9.04.36 am.png

The external user will not be able to access the server, since it will get the private IP address of the Web Server.



  1. Add a secondary DNS server (preferably in a DMZ zone) to serve external clients with a public IP address to the server.
  2. Change the DNS Server’s A record to use the public IP of the Web Server, and then use the U Turn NAT solution as in Case 1 for the internal Client to be able to access the Web Server.
  3. Some DNS servers, like bind9, can serve different records depending on the source IP of the requestor



  • Print
  • Copy Link

Choose Language