Palo Alto Networks Knowledgebase: DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall

DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall

1956
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Content Release Deployment
Resolution

Issue

DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.

traffic_logs.png

 

Cause

The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.

 

Workaround

Add "tcp-over-dns" in the Security Policy.

 

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqnCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language