DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall

DNS Proxy (Microsoft DNS) Suddenly Denied by Palo Alto Networks Firewall

0
Created On 09/26/18 13:49 PM - Last Modified 07/19/22 23:09 PM


Resolution


Issue

DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.

traffic_logs.png

 

Cause

The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.

 

Workaround

Add "tcp-over-dns" in the Security Policy.

 

owner: kkondo
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqnCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail