How to Configure DNS Proxy for GlobalProtect Clients

DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used. 

1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:

2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:

Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.

3. Navigate to Network > Global Protect > Gateways>Agent> Network Services. Configure this IP address as the Primary DNS server IP for Global Protect Clients:

4. Navigate to Network > Global Protect > Gateways >Agent>client Settings>split tunnel>Include Access route. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:

5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. 

Note: If a DNS query comes to the firewall tunnel interface for, let's say, paloalto.panvmlab.com, the firewall will send the DNS request to 192.168.243.221. However, if a DNS request comes for, let's say, google.com, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers 8.8.8.8 or 4.2.2.2.

Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:

6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:

Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.