DNS rewrite for DNS reply packet is not working.
10572
Created On 02/15/22 03:30 AM - Last Modified 06/03/23 08:35 AM
Symptom
- When a firewall has Destination NAT rules configured with DNS rewrite, the firewall should NAT IP returned by the DNS server in DNS response based on the configured NAT rule.
- The IP address in the DNS response packet From Server to Client is not getting NATed as per NAT Policy.
- Refer to Destination NAT with DNS Rewrite Use Cases and Configure Destination NAT with DNS Rewrite for details
Environment
- Palo Alto Firewalls
- PAN-OS 9.1, 10.1, 10.2
- Destination NAT rule configured with DNS rewrite
- Disable Server Response Inspection (DSRI) checked.
Cause
- One of the reasons DNS rewrite operation can fail is due to "Disable Server Response Inspection'' option enabled/checked in the security policy.
- With "Disable Server Response Inspection '' enabled/checked Firewall stops Layer 7 inspection for response traffic(Server to Client Traffic) and it will stop DNS rewrite operation on DNS response packets.
- Refer to Disable Server Response Inspection BPA Checks for details.
Resolution
- Disable/Uncheck "Disable Server Response Inspection" in the security policy (GUI: Policies > Security > (select the rule). Note that DSRI his is disabled by default.
- Commit the configuration.