How to troubleshoot FQDN Objects failing to resolve

• NGFW
• FQDN
• DNS

1. Check the DNS configuration, navigate to UI: DEVICE > Setup > Services.
   1. Ensure that you have properly configured the Minimum FQDN Refresh Time and FQDN Stale Entry Timeout (min) following the best practice.
2. Ensure that the DNS servers are reachable from the firewall. Check the service route configuration of the DNS server, navigate to DEVICE > Setup > Services click on Service Route Configuration and check the source interface of the DNS service.
   1. If the Service Route to the DNS server is the default (aka. management interface) you can use the command :

      ping host <IP address of the DNS server>
      traceroute host <IP address of the DNS server>

   2. If the Source interface of the Service Route to the DNS server is a dataplane interface you can use the command:

      ping source <IP address of the dataplane interface> host <IP address of the DNS server>
      traceroute source <IP address of the dataplane interface> host <IP address of the DNS server>

3. Check if there are security policies that might be blocking DNS traffic (service ports udp/53, tcp/53, 5353,  or application DNS).
4. Check whether your FQDN objects are properly configured:
   1. Navigate to UI: OBJECTS > Addresses. You can check if a certain FQDN object is able to resolve by click its name in the UI then clicking on the Resolve button.
   2. 
   3. Use the CLI command:

       show dns-proxy fqdn all

   4. Delete any misconfigured or duplicate FQDN object.
   5. If the problem is specific to a certain FQDN object, check whether the configured DNS server has the A or AAAA record for the configured FQDN object.

If the FQDN object failing to resolve is sinkhole.paloaltonetworks.com, service.brightcloud.com, or database.brightcloud.com, the log messages are related to AAAA records, and they appear as shown below: 

2024-11-07 02:18:02.232 +0100 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:sinkhole.paloaltonetworks.com AAAA after trying all attempts to name server(s): 172.16.2.11  172.16.2.12 
2024-11-07 02:18:02.232 +0100 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:service.brightcloud.com AAAA after trying all attempts to name server(s): 172.16.2.11  172.16.2.12 
2024-11-07 02:18:02.233 +0100 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:database.brightcloud.com AAAA after trying all attempts to name server(s): 172.16.2.11  172.16.2.12

and flooding the dnsproxyd.log then check if the firewall is hitting the SW issue PAN-217272:
Fixed an issue where the DNS proxy log included an excessive number of the following error message: Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers.

This issue is described as excessive logging in dnsproxyd for FQDN misses, which is causing valuable information to be overlooked. 

To address this issue, upgrade to the PAN-OS release with the fix:  11.1.0, 11.0.4, 10.1.12, 10.2.8, 10.2.4-h19 and later releases.

1. FQDN objects are failing to resolve when DNS Proxy object is configured
2. USING FQDN ADDRESS OBJECT WITH DYNAMIC IP FOR POLICIES
3. HOW TO CHANGE THE FQDN REFRESH TIMERS
4. WHAT HAPPENS TO FQDNS IN A SECURITY POLICY WHEN DNS TIME-TO-LIVE EXPIRES AND THE DEVICE CAN NOT REACH DNS SERVER?
5. HOW TO CONFIGURE AND TEST FQDN OBJECTS