When configured as a DNS proxy, the firewall acts as an intermediary between DNS clients and servers. Additionally, it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the firewall doesn't find the domain name in its DNS proxy cache, the firewall searches for a domain name match among the entries in the specific DNS proxy object on the interface on which the DNS query arrived. The firewall then forwards the query to the appropriate DNS server based on the match result. If no match is found, the firewall uses the default DNS server.

A DNS proxy object is where you configure the settings that determine how the firewall functions as a DNS proxy. In the proxy object, you specify the interfaces for which the firewall is acting as DNS proxy. The DNS proxy for the interface doesn’t use the service route; responses to the DNS requests are always sent to the interface assigned to the logical router where the DNS request arrived.

When you Configure a DNS Proxy Object, you can supply the DNS proxy with static FQDN-to-address mappings. You can also create DNS proxy rules that control to which DNS server the domain name queries that match the proxy rules are directed. Up to a maximum of 256 DNS proxy objects are supported for a single firewall.

When the firewall receives an FQDN query where the domain isn’t in the DNS proxy cache, it compares the domain name from the FQDN query to the domain names in the DNS Proxy rules. If you specify multiple domain names in a single DNS Proxy rule, a query that matches any one of the domain names in the rule means that the query matches the rule. DNS Proxy Rule and FQDN Matching describes how the firewall determines whether an FQDN matches a domain name in a DNS proxy rule. A DNS query that matches a rule is sent to the primary DNS server configured for the proxy object to be resolved.