FQDN objects are failing to resolve when DNS Proxy object is configured

FQDN objects are failing to resolve when DNS Proxy object is configured

25909
Created On 05/13/20 17:24 PM - Last Modified 07/16/20 23:13 PM


Symptom


  • After upgrading to PAN-OS 9.0, FQDN objects are failing to resolve when DNS Proxy object is configured under GUI: Device > Setup > Services > Global > DNS Proxy  > <object-name>
  • "show dns-proxy fqdn all" command displays the URLs with IP address as 0.0.0.0
When Cache is not enabled for DNS Proxy object
 
FQDNs objects will not get resolved.

Environment


  • PAN-OS 9.0.
  • Palo Alto Firewall.
  • DNS Proxy object configured.

Cause


This is expected behavior if DNS Cache in not selected under GUI: Network > DNS Proxy > Advanced > Cache

Starting from PAN-OS 9.0 and onward, FQDN address object's refresh is TTL driven, instead of a batch process at static interval. TTL driven means DNS Proxy daemon will track the TTL value received for each DNS response for a FQDN address object.

When the dictated number of seconds expired, by TTL, DNS Proxy daemon will initiate a request to check if FQDN resolution has changed.  In order for this to work properly, it's a requirement to enable cache for DNS Proxy objects under advanced settings.

 

Resolution


  1. Enable the DNS Proxy object Cache  GUI: Network > DNS Proxy > Advanced > Cache and commit the configuration.
 
Cache needs to be enabled for DNS Proxy object to work properly.
  1. Using "request system fqdn refresh", the "show dns-proxy all" command will now display the correct IP address.
 
FQDNs objects showing required results.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008U2b&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language