Firewall unable to connect to dns.service.paloaltonetworks.com when proxy IP address is changed

Firewall unable to connect to dns.service.paloaltonetworks.com when proxy IP address is changed

12267
Created On 09/29/22 01:43 AM - Last Modified 04/05/24 03:28 AM


Symptom


  • The firewall uses port 1080 to reach dns.service.paloaltonetworks.com when the web-proxy IP is changed.
  • The issue occurs only when the firewall is configured with a proxy and the IP is changed.
  • The firewall uses a proxy server to reach dns.service.paloaltonetworks.com, but on port 1080 when the Proxy server's IP is changed.
  • The proxy server will not entertain the request on port 1080.
  • Due to this the dynamic updates and wildfire updates fail.

Environment


  • Palo Alto Firewalls
  • PAN-OS: 9.1.9, 10.0.7, 10.0.8, 10.1.4, 10.1.6
  • DNS

Cause


Software issue. Changing the Proxy server's IP makes dnsproxyd use port 1080 to reach the DNS security server.

Resolution


  1. Restart dnsproxyd process to temporarily resolve the issue until the IP is changed again.
> debug software restart process dnsproxy
  1. Upgrade to the fixed versions 10.1.7 or higher when possible.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlgACAQ&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail