DNS traffic is being intermittently blocked in Prisma Access when DNS proxy is enabled.

• Unable to access any resources as no DNS responses are being received.
• Traffic logs with application dns-base with source client and destination the gateway loopback IP are showing packet sent only, and no packet received.
• DNS traffic logs from the gateway loopback IP to the public DNS server are hitting the interzone rule with application "sophos-live-protection".

When DNS proxy is enabled, the DNS traffic will have two flows:

A- Flow 1: Client --> Gateway

B- Flow 2: Gateway --> DNS Server (internal or external)

• Clients are sending DNS packets of type TXT generated by the Sophos Endpoint Application. The gateway identifies those packets as the "Sophos-Live-Protection" app and sends them to the public DNS server.
  
  
• There is a pre-defined rule to allow the traffic from the gateway to the DNS server for the dns-base application, as the traffic is identified as "Sophos-Live-Protection" App, the traffic didn't hit the pre-defined allow rule. Instead, it hit the Interzone rule with an action block. Hence the Flow B (Gateway --> DNS server) got blocked.
  
  
• The gateway kept using the same tuples (Source IP/Port, Destination IP/Port) for the subsequent DNS requests. As the session didn't time out on the gateway, the traffic kept using the same session and got blocked.

1- Create an application override to force the udp/53 to be identified as dns-base.

OR

2- Create a security policy to allow the Flow B (gateway --> DNS server) for application sophos-live-protection on port udp/53.