Next-Generation Firewall
Configure Destination NAT with DNS Rewrite
Table of Contents
Configure Destination NAT with DNS Rewrite
Create a destination NAT policy rule for static translation
that also rewrites the IPv4 address in a DNS response based on the original
or translated destination address of the NAT rule.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
When you configure a destination NAT policy rule that performs static translation of
IPv4 addresses, you can also configure the rule so that the firewall rewrites the
IPv4 address in a DNS response based on the original or translated IP address
configured for the rule. The firewall performs NAT on the IPv4 address (the FQDN
resolution) in a DNS response (that matches the rule) before forwarding the response
to the client; thus, the client receives the appropriate address to reach the
destination service.
View the DNS rewrite use cases to help
you determine whether to specify that the rewrite occur in the
reverse or forward direction.
You cannot enable Bi-directional
source address translation in the same NAT rule where you enable DNS rewrite.
Perform this task to create a destination NAT policy rule that specifies the firewall
perform static translation of IPv4 addresses that match the rule. The rule also
specifies that the firewall rewrite IP addresses in DNS responses when that IPv4
address (from the A Record) matches the original or translated destination address
in the NAT rule.
The matching order for DNS rewrite follows that of NAT policy rules; the first match
encountered is the one applied.
- Select and Add a NAT policy rule.(Optional) On the General tab, enter a descriptive Name for the rule.For NAT Type, select ipv4.On the Original Packet tab, Add a Destination Address.You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address on the Original Packet tab is matched. DNS rewrite ignores all other fields on the Original Packet tab, unless you are configuring DNS rewrite with conditions.On the Translated Packet tab, for Destination Address Translation, select Translation Type to be Static IP.Select a Translated Address or enter a new address.Enable DNS Rewrite and select a Direction:
- Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
- Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
(PAN-OS 12.1.2 and later 12.1 releases) (Optional) Make the DNS rewrite action for this rule conditional by enabling Match NAT Rule Source. Translate the IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.- The firewall increments the ctd_dns_rewrite_nat_source_match counter when a source IP address or source zone in a DNS response matches a source IP address or source zone configured in the Original Packet.
- The firewall increments the ctd_dns_rewrite_nat_source_mismatch counter when a source IP address or source zone in a DNS response doesn't match a source IP address or source zone configured in the Original Packet.
(PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude From Zone, Add one or more source zones to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any zone.When the client and server belong to different virtual systems, if you are configuring DNS rewrite in the server's virtual system, you can only exclude a source zone at the vsys level, meaning a zone between the two virtual systems.(PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude Source Address, Add one or more source address objects or address groups or add a New Address to enter a source IP address to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any address. A static address group is supported as long as all of its members are a supported address type (IP Netmask or IP Range). To add a New Address, configure the following:- Name of the IPv4 address.Description of the IPv4 address.Type of address—IP Netmask: Enter an IPv4 address or a network using the slash notation; for example 192.168.80.150 or 192.168.80.0/24. You can also enter an IPv6 address or an IPv6 address with its prefix; for example, 2001.db8:123::1 or 2001:db8:123::/64. You can exclude an IPv6 address even though DNS rewrite supports only IPv4 (because the client's underlying network may be IPv6, but the DNS client is requesting an A record [IPv4 address]). IP Range: Enter an IPv4 address range (for example, 10.0.0.1-10.0.0.4) or an IPv6 address range (for example, 2001:db8:123:1::1-2001:db8:123:1::11)When you Exclude Source Address:
- Only IP Netmask and IP Range are supported.
- The Any keyword is not allowed.
- IP Wildcard Mask is not supported.
- Incremental update is not supported, such as FQDN, Dynamic IP List, and Dynamic Address Group.
- Static address group is supported as long as all of its members have a supported address type.
Add one or more Tags to the address.A DNS rewrite mapping rule isn't matched in any of the following conditions:- The IPv4 address in the DNS response doesn't match the IP range in the rule.
- Match NAT Rule Source is enabled, and the DNS session's client doesn't match the source zone and source address configured in the NAT rule.
- Exclude From Zone is configured and the DNS session's source zone is excluded.
- Exclude Source Address is configured and the DNS session's source address is excluded.
Click OK.Commit your changes.(Optional) To troubleshoot, you can execute CLI show commands to view the number of DNS response rewrites performed, and more.- Access the CLI.View the number of DNS response rewrites performed: > show counter global filter value all | match ctd_dns_rewriteView the number of DNS rewrite lookup errors: > show counter global filter value all | match ctd_dns_rewrite_lookup_errorView the number of DNS rewrite lookups for NAT source match: > show counter global filter value all | match ctd_dns_rewrite_nat_source_matchView the number of DNS rewrite lookups for NAT source mismatch: > show counter global filter value all | match ctd_dns_rewrite_nat_source_mismatchView the number of DNS rewrite lookups for exclusion by the source zone: > show counter global filter value all | match ctd_dns_rewrite_from_zone_excludeView the number of DNS rewrite lookups for exclusion by source IP address: > show counter global filter value all | match ctd_dns_rewrite_source_ip_exclude(Optional) To troubleshoot, you can execute CLI debug commands to determine which NAT rule was hit.
- Access the CLI.> debug dataplane packet-diag set log feature ctd dns> debug dataplane packet-diag set log on
