Why does the Cloud default DNS Proxy IP does not respond for DNS request in Prisma Access Remote Networks

Panorama Cloud Services > Status > Network details shows a Remote Network DNS proxy IP address as 10.1.189.254 in this example.


However, even when performing nslookup using this IP from the RN peer, the DNS response is not returned. Why?

> google.com
Server:  [10.1.189.254]
Address:  10.1.189.254

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [10.1.189.254] timed-out

• Prisma Access
• Remote Networks
• DNS

1. In order to use the DNS Proxy on the RN SPNs, some configuration conditions need to be met.
2. For example, the DNS Proxy in the RN SPN will not work in the scenario shown in the diagram
   • This is because the above configuration meets the pattern below.
     • INTERNAL DNS RESOLUTION METHOD = No configuration
     • EXTERNAL DNS RESOLUTION METHOD = Cloud Default
     • PRISMA ACCESS PROXIES THE DNS REQUEST (YES/NO) = No
   • If the configured pattern meets "PRISMA ACCESS PROXIES THE DNS REQUEST (YES/NO) = No", the RN SPN does not work as DNS Proxy.
   • Configure the DNS resolution method using the pattern that shows "PRISMA ACCESS PROXIES THE DNS REQUEST" = "Yes".

Note:If you enable ZTNA Connector, Prisma Access SPNs will proxy all DNS requests.

3. Refer to the DNS Resolution for Mobile Users and Remote networks for more details.