DNS Proxy Rule and FQDN Matching
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 10.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Share Threat Intelligence with Palo Alto Networks
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Inline ML
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Test URL Filtering Configuration
- Configure URL Filtering
- Configure URL Filtering Inline ML
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
DNS Proxy Rule and FQDN Matching
When you configure the firewall with a DNS
Proxy Object that uses DNS proxy rules, the firewall compares
an FQDN from a DNS query to the domain name of a DNS proxy rule.
The firewall comparison works as follows:
FQDN Comparison to
DNS Proxy Rule | For Example |
---|---|
The firewall first tokenizes the FQDNs and the
domain names in the DNS proxy rules. In a domain name, a string delimited
by a period (.) is a token. | *.boat.fish.com consists
of four tokens: [*][boat][fish][com] |
The matching process is an exact token match
between the FQDN and the domain name in the rule; partial strings
are not matched. | Rule: fishing FQDN: fish — Not
a Match |
An exception to the exact
match requirement is the use of the wildcard—an asterisk (*). The
* matches one or more tokens. This means a rule consisting
of only a wildcard (*) matches any FQDN with one or more tokens. | Rule: *.boat.com FQDN: www.boat.com —
Match FQDN: www.blue.boat.com — Match FQDN: boat.com — Not
a Match |
Rule: * FQDN: boat —
Match FQDN: boat.com — Match FQDN: www.boat.com —
Match | |
You can use an * in any position: preceding
tokens, between tokens, or trailing tokens (but not with other characters
within a single token). | Rule: www.*.com FQDN: www.boat.com —
Match FQDN: www.blue.boat.com — Match |
Rule: www.boat.* FQDN: www.boat.com —
Match FQDN: www.boat.fish.com — Match | |
Rule: www.boat*.com — Invalid | |
Multiple wildcards (*) can appear in any position
of the domain name: preceding tokens, between tokens, or trailing tokens.
Each non-consecutive * matches one or more tokens. | Rule: a.*.d.*.com FQDN: a.b.d.e.com —
Match FQDN: a.b.c.d.e.f.com — Match FQDN: a.d.d.e.f.com —
Match (First * matches d; second * matches e and f) FQDN: a.d.e.f.com — Not
a Match (First * matches d;
subsequent d in the rule is not matched) |
When wildcards are used in consecutive tokens,
the first * matches one or more tokens; the second * matches one
token. This means a rule consisting of only *.* matches any
FQDN with two or more tokens. | Consecutive wildcards preceding tokens: Rule: *.*.boat.com FQDN: www.blue.boat.com —
Match FQDN: www.blue.sail.boat.com —
Match |
Consecutive wildcards between tokens: Rule: www.*.*.boat.com FQDN: www.blue.sail.boat.com —
Match FQDN: www.big.blue.sail.boat.com —
Match | |
Consecutive wildcards trailing tokens: Rule: www.boat.*.* FQDN: www.boat.fish.com —
Match FQDN: www.boat.fish.ocean.com —
Match | |
Consecutive wildcards only: Rule: *.* FQDN: boat — Not
a Match FQDN: boat.com — Match FQDN: www.boat.com —
Match | |
Consecutive and non-consecutive wildcards
can appear in the same rule. | Rule: a.*.d.*.*.com FQDN: a.b.c.d.e.f.com —
Match (First * matches b and c;
second * matches e;
third * matches f) FQDN: a.b.c.d.e.com — Not
a Match (First * matches b and c;
second * matches e;
third * not matched) |
The Implicit-tail-match behavior provides an
additional shorthand: As long as the last token of the rule
is not an *, a comparison will match if all tokens in the rule match
the FQDN, even when the FQDN has additional trailing tokens that
the rule doesn’t have. | Rule: www.boat.fish FQDN: www.boat.fish.com —
Match FQDN: www.boat.fish.ocean.com —
Match FQDN: www.boat.fish — Match |
This rule ends with *, so the Implicit-tail-match
rule doesn’t apply. The * behaves as stated; it matches one or more
tokens. | Rule: www.boat.fish.* FQDN: www.boat.fish.com —
Match FQDN: www.boat.fish.ocean.com —
Match FQDN: www.boat.fish — Not
a Match (This FQDN does not have a token to match the * in the
rule.) |
In the case where an FQDN matches more than
one rule, a tie-breaking algorithm selects the most specific (longest)
rule; that is, the algorithm favors the rule with more tokens and fewer
wildcards (*). | Rule 1: *.fish.com —
Match Rule 2: *.com —
Match Rule 3: boat.fish.com —
Match and Tie-Breaker FQDN: boat.fish.com FQDN
matches all three rules; the firewall uses Rule 3 because it is
the most specific. |
Rule 1: *.fish.com — Not
a Match Rule 2: *.com —
Match Rule 3: boat.fish.com — Not
a Match FQDN: fish.com FQDN
does not match Rule 1 because the * does not have a token to match. | |
Rule 1: *.fish.com —
Match and Tie-Breaker Rule 2: *.com —
Match Rule 3: boat.fish.com — Not
a Match FQDN: blue.boat.fish.com FQDN
matches Rule 1 and Rule 2 (because the * matches one or more tokens).
The firewall uses Rule 1 because it is the most specific. | |
When working with wildcards (*) and Implicit-tail-match
rules, there can be cases when the FQDN matches more than one rule
and the tie-breaking algorithm weighs the rules equally. To
avoid ambiguity, if rules with an Implicit-tail-match or a wildcard
(*) can overlap, replace an Implicit-tail-match rule by specifying
the tail token. | Replace this: Rule: www.boat with
this: Rule: www.boat.com |
Best Practices for Creating
DNS Proxy Rules to Avoid Ambiguity and Unexpected Results | |
Include a top-level domain in the domain name
to avoid invoking an Implicit-tail-match that may match the FQDN
to more than one rule. | boat.com |
If you use a wildcard (*), use it only as the
leftmost token. This practice follows the common understanding
of wildcard DNS records and the hierarchical nature of DNS. | *.boat.com |
Use no more than one * in a rule. | |
Use the * to establish a base rule associated
with a DNS server, and use rules with more tokens to build exceptions
to the rule, which you associate with different servers. The
tie-breaking algorithm will select the most specific match, based
on the number of matched tokens. | Rule: *.corporation.com —
DNS server A Rule: www.corporation.com —
DNS server B Rule: *.internal.corporation.com —
DNS server C Rule: www.internal.corporation.com —
DNS server D FQDN: mail.internal.corporation.com —
matches DNS server C FQDN: mail.corporation.com —
matches DNS server A |