IPv6 Router Advertisements for DNS Configuration
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
IPv6 Router Advertisements for DNS Configuration
The firewall implementation of Neighbor Discovery (ND)
is enhanced so that you can provision IPv6 hosts with the Recursive
DNS Server (RDNSS) Option and DNS Search List (DNSSL) Option per RFC 6106, IPv6 Router Advertisement Options for DNS Configuration.
When you Configure
Layer 3 Interfaces, you configure these DNS options on the
firewall so the firewall can provision your IPv6 hosts; therefore
you don’t need a separate DHCPv6 server to provision the hosts. The
firewall sends IPv6 Router Advertisements (RAs) containing these
options to IPv6 hosts as part of their DNS configuration to fully
provision them to reach internet services. Thus, your IPv6 hosts
are configured with:
- The addresses of RDNS servers that can resolve DNS queries.
- A list of domain names (suffixes) that the DNS client appends (one at a time) to an unqualified domain name before entering the domain name into a DNS query.
IPv6 Router Advertisement for DNS configuration is supported
for Ethernet interfaces, subinterfaces, Aggregated Ethernet interfaces,
and Layer 3 VLAN interfaces on all PAN-OS platforms.
The capability of the firewall to send IPv6 RAs for DNS
configuration allows the firewall to perform a role similar to DHCP,
and is unrelated to the firewall being a DNS proxy, DNS client or
DNS server.
After you configure the firewall with the addresses of RDNS servers,
the firewall provisions an IPv6 host (the DNS client) with those
addresses. The IPv6 host uses one or more of those addresses to
reach an RDNS server. Recursive DNS refers to a series of DNS requests
by an RDNS Server, as shown with three pairs of queries and responses
in the following figure. For example, when a user tries to access
www.paloaltonetworks.com, the local browser sees that it does not
have the IP address for that domain name in its cache, nor does
the client’s operating system have it. The client’s operating system
launches a DNS query to a Recursive DNS Server belonging to the
local ISP.

An IPv6 Router Advertisement can contain multiple DNS Recursive
Server Address options, each with the same or different lifetimes.
A single DNS Recursive DNS Server Address option can contain multiple
Recursive DNS Server addresses as long as the addresses have the
same lifetime.
A DNS Search List is a list of domain names (suffixes) that the
firewall advertises to a DNS client. The firewall thus provisions
the DNS client to use the suffixes in its unqualified DNS queries.
The DNS client appends the suffixes, one at a time, to an unqualified
domain name before it enters the name into a DNS query, thereby
using a fully qualified domain name (FQDN) in the DNS query. For
example, if a user (of the DNS client being configured) tries to
submit a DNS query for the name “quality” without a suffix, the
router appends a period and the first DNS suffix from the DNS Search
List to the name and transmits a DNS query. If the first DNS suffix
on the list is “company.com”, the resulting DNS query from the router is
for the FQDN “quality.company.com”.
If the DNS query fails, the client appends the second DNS suffix
from the list to the unqualified name and transmits a new DNS query.
The client uses the DNS suffixes in order until a DNS lookup succeeds
(ignoring the remaining suffixes) or the router has tried all of
the suffixes on the list.
You configure the firewall with the suffixes that you want to
provide to the DNS client router in an ND DNSSL option; the DNS
client receiving the DNS Search List option is provisioned to use
the suffixes in its unqualified DNS queries.
To specify RDNS Servers and a DNS Search List, Configure
RDNS Servers and DNS Search List for IPv6 Router Advertisements.