Palo Alto Networks Knowledgebase: DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall
DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.
The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.