>
    Strata Copilot
    DNS Resolution for Agent-Based and Remote Network Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. DNS Resolution for Agent-Based and Remote Network Deployments
    Download PDF
    Prisma Access

    DNS Resolution for Agent-Based and Remote Network Deployments

    Table of Contents

    DNS Resolution for Agent-Based and Remote Network Deployments

    Shows the possible configurations you can use for Prisma Access to resolve DNS queries for mobile users and remote networks.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license version 2.2 Preferred and later
    • Native IPv6 access to public and private apps requires the following minimum releases:
      • Prisma Access (Managed by Strata Cloud Manager): June 2024 release
      • Prisma Access (Managed by Panorama): Prisma Access 5.1.1 for new deployments only.
      Any other deployments (including existing Prisma Access (Managed by Panorama) deployments) support private app access only.
    Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. Prisma Access proxies the DNS request based on the configuration of your DNS servers. The following table shows the supported DNS resolution methods for internal and external domains and indicates when Prisma Access proxies the DNS requests.
    Internal DNS Resolution MethodExternal DNS Resolution MethodPrisma Access Proxies the DNS Request (Yes/No)
    Single rule, DNS server configured for Internal DomainsCloud Default (Google Public DNS64 for IPv6)Yes
    Single rule, DNS server configured for Internal DomainsSame as Internal DomainsNo
    Single rule, DNS server configured for Internal DomainsCustom DNS server (Google Public DNS64 for IPv6)Yes
    Single rule, Cloud Default set for a domainCloud Default (Google Public DNS64 for IPv6)Yes
    Single rule, Cloud Default set for a domainSame as Internal Domains (Google Public DNS64 for IPv6)Yes
    Single rule, Cloud Default set for domainCustom DNS server (Google Public DNS64 for IPv6)Yes
    Multiple rules, DNS server configured for Internal DomainsCloud Default (Google Public DNS64 for IPv6)Yes
    Multiple rules, DNS server configured for Internal DomainsSame as Internal DomainsYes
    Multiple rules, DNS server configured for Internal DomainsCustom DNS server (Google Public DNS64 for IPv6)Yes
    No configurationCustom DNS Server (Google Public DNS64 for IPv6)Yes
    No configurationCloud Default (For IPv6, Primary = Google Public DNS64, Secondary = Cloud Default)No
    No configurationNo configuration No
    No DNS resolution specified (default configuration is present, which uses Cloud Default)No DNS resolution specifiedNo
    ZTNA Connector (regardless of DNS resolution method)N/AYes
    After you enable ZTNA Connector, Prisma Access proxies all DNS requests using the DNS rules set up for Remote Networks and Mobile Users—GlobalProtect.
    The following guidelines and restrictions apply to using DNS resolution with Prisma Access:
    • The maximum number of concurrent pending TCP DNS requests ( Max Pending Requests) that Prisma Access supports is 64.
    • For UDP queries, the DNS proxy sends another request if it hasn’t received a response in 2 seconds, and retries a maximum of 5 times before trying the next DNS server.
    • Prisma Access caches the DNS entries with a time-to-live (TTL) value of 300 seconds. EDNS responses are also cached.
    See these procedures for DNS resolution for agent-based and remote network deployments:

    © 2025 Palo Alto Networks, Inc. All rights reserved.