DNS queries fail when DNS proxy is configured on the Firewall

DNS queries fail when DNS proxy is configured on the Firewall

1990
Created On 08/15/24 03:06 AM - Last Modified 10/15/25 17:26 PM


Symptom


  • DNS proxy is configured on the Firewall.
  • Large DNS queries from the users through the firewall fails with error.
  • Packet capture indicates UDP queries fail with "Message is truncated" as seen in the packet capture.
  • The client machine then tries to establish a new TCP DNS connection with the DNS proxy but the firewall drops the SYN packets, even though the DNS traffic over TCP (TCP/53) is allowed in the security policy.

UDP DNS

 

Environment


  • Palo Alto Networks Firewalls
  • Supported PAN-OS
  • DNS proxy configuration enabled 

Cause


 The advanced TCP option wasn't enabled under the DNS proxy.

Resolution


  1. Enable Advanced TCP options.
  2. Navigate to Network > DNS Proxy > [select proxy] > Advanced > Select checkbox for [TCP Queries]
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scfKCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language