DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.
Cause
The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.