How to Configure DNS Proxy for GlobalProtect Clients

How to Configure DNS Proxy for GlobalProtect Clients

Created On 09/25/18 17:39 PM - Last Modified 07/21/20 19:31 PM


This article shows how to configure DNS proxy for GlobalProtect clients.


For information on how to configure GlobalProtect on the firewall, please click here.

For the video link, please click here.



  • Pan-OS
  • Globalprotect



DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used. 



1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:


User-added image




2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:


User-added image


Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.



3. Navigate to Network > Global Protect > Gateways>Agent> Network Services. Configure this IP address as the Primary DNS server IP for Global Protect Clients:




4. Navigate to Network > Global Protect > Gateways >Agent>client Settings>split tunnel>Include Access route. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:


5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. 




Note: If a DNS query comes to the firewall tunnel interface for, let's say,, the firewall will send the DNS request to However, if a DNS request comes for, let's say,, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers or


Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:



6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:


Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.


Screen Shot 2016-11-07 at 2.31.42 PM.png 

Screen Shot 2016-11-07 at 2.23.49 PM.png





Additional Information


Screen Shot 2016-11-07 at 2.30.33 PM.png

  • resolved to ,which is the static entry configured in DNS proxy
  • resolved to internal IP address using internal DNS server since the domain name matched
  • resolved to its IP address using external primary DNS server since the domain name did not match
  • Following are the sessions created for internal and external DNS queries:

Screen Shot 2016-11-07 at 2.34.57 PM.png

Note: For more information of DNS proxy please follow this link 
DNS Proxy

  • Print
  • Copy Link

Choose Language