How to implement DHCP Option 119 (Domain Search List) in a Palo Alto Networks firewall

How to implement DHCP Option 119 (Domain Search List) in a Palo Alto Networks firewall

17845
Created On 01/23/23 19:02 PM - Last Modified 01/24/23 01:30 AM


Objective


The objective of this article is to provide Information Security professionals with the knowledge and tools necessary to implement DHCP Option 119 on Palo Alto Networks firewalls.

Environment


  • Palo Alto Networks firewall running PAN-OS 8.1 or later
  • DHCP server configured and functional hosted from the firewall

Procedure


  1. Log in to the Palo Alto Networks firewall management interface.
  2. Navigate to the Network tab, and select DHCP.
  3. Select the DHCP Server interface that you want to configure.
DHCP Interface
  1. Select the Options tab, and under custom DHCP Options click on the Add button.
  2. Give the option a name like "Option 119". In the Option Code field, enter 119.
Screenshot 2023-01-23 at 4.32.42 PM.png
  1. In the Value field, select the "Hexadecimal" radio-button and add any search domains that you want to configure using hex-string format. Add additional lines for each Domain you want to add. Each additional line is concatenated with the one before, and therefore the order of the entries matter. Compression Pointers are supported.
  2. Click on the OK button.
  3. Commit the configuration changes.

.
DHCP Option 119 Entry Format

.


 

Standalone entry

.
The format for the entries will have each domain preceded by a byte value representing the number of characters on the domain name that follow until the next dot. At the end of each entry it will be delimited by a 00 value.

For example, to note the entry "example.com" we will have: 07 'example' 03 'com' 00. If we convert the full entry to hex then the result is:

076578616d706c6503636f6d00
 

.
Array entry

.
Now let's say we want to add the search domains "first.example.com" and "second.example.com".

We can achieve this with hex-string:
056669727374076578616d706c6503636f6d00067365636f6e64076578616d706c6503636f6d00

That is composed by: 05 'first' 07 'example' 03 'com' 00; 06 'second' 07 'example' 03 'com' 00.

Note that the maximum length of Option 119 is 255 characters, therefore it may be important to use compression-pointers to reduce the length of the entries.

.
Compression Pointer entry

.

If a compression pointer is used, It will be defined at the end of the entry and be noted with a c0 followed by the byte offset.

For example, if we want to represent subdomain.example.com the entry will now be:

076578616d706c6503636f6d0009737562646f6d61696ec000

Note here we start out with example.com, then add 09 'subdomain' c0 and 00. c0 indicates a compression pointer, and it points the offset to 00, where we have example.com.

If we instead had an entry with www.example.com and we wanted to add pointer.example.com, note that the offset would be 4, to account for www. Example:

03777777076578616d706c6503636f6d0007706f696e746572c004

.

Putting it all together

.
We are provided a search list with the following entries:

example.com
subdomain.example.com
www.example.com
pointer.example.com
first.example.com
second.example.com
third.example.com

We review the configuration and we see the following entries:
076578616d706c6503636f6d0009737562646f6d61696ec000 (example.com and subdomain.example.com leveraging compression-pointer)
03777777076578616d706c6503636f6d0007706f696e746572c000 (www.example.com which doesn't leverage compression pointer, followed by pointer.example.com leveraging compression pointer)
056669727374076578616d706c6503636f6d00067365636f6e64076578616d706c6503636f6d00 ( first.example.com and second.example.com not leveraging compression pointers, concatenated in a single line)
057468697264076578616d706c6503636f6d00 (Standalone entry third.example.com not leveraging compression pointer)

We want to optimize the entries so we will use compression pointers to example.com
To make it clearer we will add the base domain on the first line, and each entry leveraging compression pointers:
076578616d706c6503636f6d00 (example.com)
09737562646f6d61696ec000 (subdomain -> example.com)
03777777c000 (www -> example.com)
07706f696e746572c000 (pointer -> example.com)
056669727374c000 (first -> example.com)
067365636f6e64c000 (second -> example.com)
057468697264c000 (third -> example.com)
Screenshot 2023-01-23 at 5.00.44 PM.png

.
Verifying it works as expected

.
In Windows 10 we can run ipconfig /renew and ipconfig /all to verify the domains show up properly.
Screenshot 2023-01-23 at 4.39.59 PM.png

In MacOS and Linux, execute command:

cat /etc/resolv.conf
Screenshot 2023-01-23 at 4.34.00 PM.png

Additional Information


  • DHCP Option 119 is defined in RFC 3397
  • DHCP Option 119 is supported in PAN-OS 8.1 and later
  • DHCP Option 119 allows up to 255 characters of data, which can be used to configure multiple search domains.
  • It is a good practice to test the DHCP Option 119 configuration by running nslookup or dig command on the client device after DHCP Option 119 is configured on the DHCP server to validate the configuration.
  • DHCP Option 119 is often used in conjunction with DHCP Option 15 (Domain Name) to provide full DNS resolution capabilities.
Note: It is always recommended to test the implementation in a lab environment before implementing in production.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saawCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language