Palo Alto Networks Knowledgebase: DNS rewrite on a Palo Alto Networks firewall
DNS rewrite on a Palo Alto Networks firewall
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:05 AM
Zone and DoS Protection
DNS rewrite (DNS doctoring) is a capability that some NAT devices offer in order to translate the DNS A-record for a particular DNS query. The Palo Alto Networks firewall as of now does not support the DNS doctoring feature, but there are a few workarounds that can be used.
Some scenarios in which DNS doctoring applies.
External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall.
Traffic Flow in this case:
In the above case, DNS server 22.214.171.124 replies to the DNS query of the client with the public IP of the Web server, for example 198.51.100.3.
The client now accesses the web server on the public IP and forwards that request to the Firewall.
The firewall tries to do route lookup for 198.51.100.3 IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.
A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.