How to Configure DNS Proxy for GlobalProtect Clients

How to Configure DNS Proxy for GlobalProtect Clients

80749
Created On 09/25/18 17:39 PM - Last Modified 07/21/20 19:31 PM


Symptom

This article shows how to configure DNS proxy for GlobalProtect clients.

 

For information on how to configure GlobalProtect on the firewall, please click here.

For the video link, please click here.

 



Environment
  • Pan-OS
  • Globalprotect


Resolution

 

DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used. 

 

 

1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:

 

User-added image

 

 

 

2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:

 

User-added image

 

Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.

 

 

3. Navigate to Network > Global Protect > Gateways>Agent> Network Services. Configure this IP address as the Primary DNS server IP for Global Protect Clients:

 

GP-GW-Network-Services.png

 

4. Navigate to Network > Global Protect > Gateways >Agent>client Settings>split tunnel>Include Access route. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:

GP-GW-Client-Settings.png

5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. 

 

DNS-Proxy1.png

 

Note: If a DNS query comes to the firewall tunnel interface for, let's say, paloalto.panvmlab.com, the firewall will send the DNS request to 192.168.243.221. However, if a DNS request comes for, let's say, google.com, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers 8.8.8.8 or 4.2.2.2.

 

Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:

 

DNS-Proxy2.png

6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:

 

Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.

 

Screen Shot 2016-11-07 at 2.31.42 PM.png 

Screen Shot 2016-11-07 at 2.23.49 PM.png

 

 

 

 



Additional Information

Verification





Screen Shot 2016-11-07 at 2.30.33 PM.png

 
  • Testing-proxy.com resolved to 1.1.1.1 ,which is the static entry configured in DNS proxy
  • paloalto.panvmlab.com resolved to internal IP address using internal DNS server since the domain name matched
  • google.com resolved to its IP address using external primary DNS server since the domain name did not match
  • Following are the sessions created for internal and external DNS queries:


Screen Shot 2016-11-07 at 2.34.57 PM.png




Note: For more information of DNS proxy please follow this link 
DNS Proxy
 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClHf&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language