DNS rewrite on a Palo Alto Networks firewall

DNS rewrite on a Palo Alto Networks firewall

34211
Created On 09/25/18 19:50 PM - Last Modified 04/21/20 00:20 AM


Symptom
DNS rewrite (DNS doctoring) is a capability some NAT devices offer to rewrite the IP address in the DNS A-record queries. PAN-OS versions older than 9.0.x does not officially support the DNS doctoring feature so a workaround can be used. 

Note: DNS doctoring is supported starting in PAN-OS 9.0.2. For more information, see PAN-OS New Features Guide, DNS Rewrite for Destination NAT


Environment
  • PAN-OS 8.x 
  • DNS 


Resolution

Scenarios in which DNS doctoring applies.


Scenario 1: 
External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall.

Screen Shot 2016-03-30 at 9.04.24 am.png 
Traffic Flow in this case:

  1. In the above case, DNS server 4.2.2.2 replies to the DNS query of the client with the public IP of the Web server, for example, 198.51.100.3.
  2. The client now accesses the web server on the public IP and forwards that request to the Firewall. 
  3. The firewall tries to do route lookup for 198.51.100.3 IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.

A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.

Workarounds

  1. Configure the client to use the firewall as DNS proxy, and on Firewall configure a static entry for www.example.com as 10.1.1.3. For all other lookups, the firewall can use 4.2.2.2 as the DNS server. How to Configure DNS Proxy on a Palo Alto Networks Firewall   OR
  2. Use U-Turn NAT, thereby forwarding the traffic from the client to the Server: How to Configure U-Turn NAT

 


Scenario 2:
Internal DNS server is returning a private IP address of application server to both Internal and external users.

 

Screen Shot 2016-03-30 at 9.04.36 am.png

The external user will not be able to access the server since it will get the private IP address of the Web Server.  


Workarounds

  1. Add a secondary DNS server (preferably in a DMZ zone) to serve external clients with a public IP address to the server.
  2. Change the DNS Server’s A record to use the public IP of the Web Server, and then use the U-Turn NAT solution as in Case 1 for the internal Client to be able to access the Web Server.
  3. Some DNS servers, like bind9, can serve different records depending on the source IP of the requestor


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfjCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language