The firewall implementation of Neighbor Discovery (ND)
is enhanced so that you can provision IPv6 hosts with the Recursive
DNS Server (RDNSS) Option and DNS Search List (DNSSL) Option per RFC 6106, IPv6 Router Advertisement Options for DNS Configuration.
When you Configure
Layer 3 Interfaces, you configure these DNS options on the
firewall so the firewall can provision your IPv6 hosts; therefore
you don’t need a separate DHCPv6 server to provision the hosts. The
firewall sends IPv6 Router Advertisements (RAs) containing these
options to IPv6 hosts as part of their DNS configuration to fully
provision them to reach internet services. Thus, your IPv6 hosts
are configured with:
The addresses of RDNS servers that can resolve DNS queries.
A list of domain names (suffixes) that the DNS client appends
(one at a time) to an unqualified domain name before entering the
domain name into a DNS query.
IPv6 Router Advertisement for DNS configuration is supported
for Ethernet interfaces, subinterfaces, Aggregated Ethernet interfaces,
and Layer 3 VLAN interfaces on all PAN-OS platforms.
The capability of the firewall to send IPv6 RAs for DNS
configuration allows the firewall to perform a role similar to DHCP,
and is unrelated to the firewall being a DNS proxy, DNS client or
DNS server.
After you configure the firewall with the addresses of RDNS servers,
the firewall provisions an IPv6 host (the DNS client) with those
addresses. The IPv6 host uses one or more of those addresses to
reach an RDNS server. Recursive DNS refers to a series of DNS requests
by an RDNS Server, as shown with three pairs of queries and responses
in the following figure. For example, when a user tries to access
www.paloaltonetworks.com, the local browser sees that it does not
have the IP address for that domain name in its cache, nor does
the client’s operating system have it. The client’s operating system
launches a DNS query to a Recursive DNS Server belonging to the
local ISP.
An IPv6 Router Advertisement can contain multiple DNS Recursive
Server Address options, each with the same or different lifetimes.
A single DNS Recursive DNS Server Address option can contain multiple
Recursive DNS Server addresses as long as the addresses have the
same lifetime.
A DNS Search List is a list of domain names (suffixes) that the
firewall advertises to a DNS client. The firewall thus provisions
the DNS client to use the suffixes in its unqualified DNS queries.
The DNS client appends the suffixes, one at a time, to an unqualified
domain name before it enters the name into a DNS query, thereby
using a fully qualified domain name (FQDN) in the DNS query. For
example, if a user (of the DNS client being configured) tries to
submit a DNS query for the name “quality” without a suffix, the
router appends a period and the first DNS suffix from the DNS Search
List to the name and transmits a DNS query. If the first DNS suffix
on the list is “company.com”, the resulting DNS query from the router is
for the FQDN “quality.company.com”.
If the DNS query fails, the client appends the second DNS suffix
from the list to the unqualified name and transmits a new DNS query.
The client uses the DNS suffixes in order until a DNS lookup succeeds
(ignoring the remaining suffixes) or the router has tried all of
the suffixes on the list.
You configure the firewall with the suffixes that you want to
provide to the DNS client router in an ND DNSSL option; the DNS
client receiving the DNS Search List option is provisioned to use
the suffixes in its unqualified DNS queries.