PAN-OS

1. Log in to your NGFW.
2. Select PoliciesNAT and Add a NAT policy rule.
3. (Optional) On the General tab, enter a descriptive Name for the rule.
4. For NAT Type, select ipv4.
5. On the Original Packet tab, Add a Destination Address.

   You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address on the Original Packet tab is matched. DNS rewrite ignores all other fields on the Original Packet tab, unless you are configuring DNS rewrite with conditions.
6. Select an applicable Service if necessary.
7. In the Translated Packet window, select Destination Address Only.
8. Set the Translation Type to Static IP.
9. Select a Translated Address or enter a new address.
10. Optional Enter a Translated Port.
11. Enable DNS Rewrite and select a Direction:

    • Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
    • Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
12. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) Make the DNS rewrite action for this rule conditional by enabling Match NAT Rule Source. Translate the IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.

    • The firewall increments the ctd_dns_rewrite_nat_source_match counter when a source IP address or source zone in a DNS response matches a source IP address or source zone configured in the Original Packet.
    • The firewall increments the ctd_dns_rewrite_nat_source_mismatch counter when a source IP address or source zone in a DNS response doesn't match a source IP address or source zone configured in the Original Packet.
13. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude From Zone, Add one or more source zones to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any zone.

    When the client and server belong to different virtual systems, if you are configuring DNS rewrite in the server's virtual system, you can only exclude a source zone at the vsys level, meaning a zone between the two virtual systems.
14. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude Source Address, Add one or more source address objects or address groups or add a New Address to enter a source IP address to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any address. A static address group is supported as long as all of its members are a supported address type (IP Netmask or IP Range). To add a New Address, configure the following:

    1. Name of the IPv4 address.
    2. Description of the IPv4 address.
    3. Type of address—IP Netmask: Enter an IPv4 address or a network using the slash notation; for example 192.168.80.150 or 192.168.80.0/24. You can also enter an IPv6 address or an IPv6 address with its prefix; for example, 2001.db8:123::1 or 2001:db8:123::/64. You can exclude an IPv6 address even though DNS rewrite supports only IPv4 (because the client's underlying network may be IPv6, but the DNS client is requesting an A record [IPv4 address]). IP Range: Enter an IPv4 address range (for example, 10.0.0.1-10.0.0.4) or an IPv6 address range (for example, 2001:db8:123:1::1-2001:db8:123:1::11)

       When you Exclude Source Address:

       • Only IP Netmask and IP Range are supported.
       • The Any keyword is not allowed.
       • IP Wildcard Mask is not supported.
       • Incremental update is not supported, such as FQDN, Dynamic IP List, and Dynamic Address Group.
       • Static address group is supported as long as all of its members have a supported address type.
    4. Add one or more Tags to the address.

    A DNS rewrite mapping rule isn't matched in any of the following conditions:

    • The IPv4 address in the DNS response doesn't match the IP range in the rule.
    • Match NAT Rule Source is enabled, and the DNS session's client doesn't match the source zone and source address configured in the NAT rule.
    • Exclude From Zone is configured and the DNS session's source zone is excluded.
    • Exclude Source Address is configured and the DNS session's source address is excluded.
15. Click OK.
16. Save your changes.