DNS proxy is not resolving websites (URLs)

DNS proxy is not resolving websites (URLs)

9804
Created On 09/30/22 17:15 PM - Last Modified 02/13/23 20:12 PM


Symptom


  • Websites are not loading.
  • nslookups are timing out.
  • dnsproxyd.log shows the following error messages:
Warning: pan_dnsproxy_check_udp_size(pan_dnsproxy_pkt_parse.c:188): Adding this record exceeds udp size limit, current 508, record size: 112, udp size limit: 512
Warning: pan_dnsproxy_check_udp_size(pan_dnsproxy_pkt_parse.c:188): Adding this record exceeds udp size limit, current 454, record size: 122, udp size limit: 512

Environment


  • PA-220
  • PANOS-10.0.4 
  • DNS Proxy cache enabled

Cause


When dnsproxy cache is enabled, we always prepare the response from the cache (regardless if we have the records in cache already or we need to forward the request to a name sever first).

During this process, dnsproxy does not check if the prepared DNS response is too big or not (default udp limit should be 512 bytes). So the DNS response prepared by dnsproxy could be dropped by other PAN FWs or network devices if the size is larger than the limit (512 or otherwise specified in EDNS).

This problem usually happens with nested CNAME records and when cache is used due to dnsproxy's limited compression ability.

Resolution


As a workaround, any of the following options can be applied:
  1. Disable cache
  2. Add DNS proxy rule for this FQDN and not use cache
  3. Use EDNS (it allows larger UDP DNS)

Additional Information


HOW TO VERIFY DNS PROXY
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleyCAC
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZKECA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language