Configure System for DNS Survivability
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
- Prisma SD-WAN Incidents and Alerts
Configure System for DNS Survivability
Prisma SD-WAN
Configure DNS Survivability Use case.The DNS service
configuration is now enabled on the ION device and will answer DNS queries on the selected
interfaces. In the modern branch, most systems rely heavily on SaaS solutions
for most day to day tasks. These include productivity tools such as Office 365,
credit card processing systems such as Square, and POS (point-of-sale) systems such
as Aloha; all delivered from the public internet. Besides DNS resolution, these
systems have no dependency on private networks.
Using the
Prisma SD-WAN
DNS service, the system can be configured to use public
internet DNS systems by default while sending internal domain name resolution
requests to private DNS servers in the network. The majority of site services remain
active and functional if the branch is unable to connect with the centralized,
private DNS servers.DNS and Trusted SaaS App Traffic Flow before Prisma
SD-WAN
When the branch PC sends a DNS resolution request to the DNS server
located in the central data center, the data center DNS server receives the request
and responds, if known or cached. Else, forwards the request to the upstream DNS
server.
The branch PC receives the DNS response with the IP address
information for the trusted SaaS application. The connection request is sent to the
destination server. The data center firewall receives the inbound connection request
from the WAN edge MPLS router and forwards it to the internet.
The SaaS
service receives the TCP connection request and sends an acknowledgment back to the
data center firewall. The branch PC receives the TCP connection
acknowledgment.
DNS and Trusted SaaS App Traffic Flow After Prisma
SD-WAN
When the branch PC sends the DNS resolution request to the local branch
ION, configured as the primary DNS server, the ION DNS service receives the request
and responds if the domain record is cached. Else, it forwards the request to the
upstream DNS server based on the configuration. The internet DNS server receives the
request and responds to the branch ION. The branch ION forwards the response to the
branch PC.
The branch PC receives the DNS response with the IP address
information for the trusted SaaS application, and the connection request is sent to
the destination server. The branch ION receives a connection request for the trusted
SaaS application and sends it directly onto the internet path per policy.
The
SaaS service receives the TCP connection request and sends an acknowledgment back to
the branch ION. The branch PC receives the TCP connection
acknowledgment.
Configure the system to facilitate the DNS survivability use
case.
- From thePrisma SD-WANweb interface, selectand create a new service role calledManageResourcesConfiguration ProfilesDNSDNS ServiceDNS Service RolesListenandForward.
- Navigate toand click toDNS ServiceDNS Service ProfilesCreatea new DNS service profile.
- On theBasicscreen, enter a name for the DNS profile and add aDNS Server.
- Specify the internal DNS server IP address.
- SelectDomain Namesand define all internal top-level domain names. For example, internal.com.
- Specify the Listen and ForwardDNS Service Rolescreated in Step 1.
- ClickSave.Repeat the procedure per internal DNS server system.
- Add aDNS ServerfromDNS Servers.
- Specify the internet DNS Server IP address.
- Specify theDNS Service Roles, Listen and Forward, created in Step 1.Do not enter the Domain Name.
- ClickSave.Repeat the procedure per internet DNS server system.
- ClickSaveandSubmit.
- Configure the ION device to use the DNS service.
- Navigate to the ION configuration page and selectDNS Service.
- InDNS Service Role Bindings, clickAdd.
- Select theDNS Role, Listen and Forward from the drop-down.
- Select all relevant LAN interfaces that will receive and forward the requests andEnablethe service.
- ClickSave.The DNS service configuration is now enabled on the ION device and will answer DNS queries on the selected interfaces. After testing that thePrisma SD-WANDNS service is configured per requirements, the DNS server IP addresses can be changed in the DHCP scope to the respective default gateway (ION LAN interfaces), the branch subnets, or specified manually on systems with static IP configuration.With thePrisma SD-WANsystem deployed and the DNS service enabled, the branch systems utilizing SaaS services no longer rely on the centralized data center resources to function. In the event of a data center failure, none of the SaaS application services will be affected. This is due to all necessary functions delivered by the ION device through the DNS service and the ability to put trusted SaaS application traffic directly onto the internet with a scalable and straightforward path policy rule.