Focus

Next-Generation Firewall

Configure a DNS Server Profile

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure a DNS Proxy Object

Configure a Web Proxy

Configure a DNS Server Profile

Configure a DNS server profile with information used in packets sent to a DNS server.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)

To simplify configuration for a virtual system, a DNS server profile allows you to specify the virtual system that is being configured, an inheritance source or the primary and secondary IP addresses for DNS servers, and a source interface and source address (service route) that will be used in packets sent to the DNS server. The source interface determines the virtual router, which has a route table. The destination IP address is looked up in the route table of the virtual router where the source interface is assigned. It’s possible that the result of the destination IP egress interface differs from the source interface. The packet would egress out of the destination IP egress interface determined by the route table lookup, but the source IP address would be the address configured. The source address is used as the destination address in the reply from the DNS server.

The virtual system report and virtual system server profile send their queries to the DNS server specified for the virtual system, if there is one. (The DNS server used is defined in DeviceVirtual SystemsGeneralDNS Proxy.) If there is no DNS server specified for the virtual system, the DNS server specified for the firewall is queried.

You configure a DNS server profile for a virtual system only; it is not for a global Shared location.

Configure a DNS server profile, which simplifies configuration of a virtual system. The Primary DNS or Secondary DNS address is used to create the DNS request that the virtual system sends to the DNS server.

Name the DNS server profile, select the virtual system to which it applies, and specify the primary and secondary DNS server addresses.
1. Select DeviceServer ProfilesDNS and Add a Name for the DNS server profile.
2. For Location, select the virtual system to which the profile applies.
3. For Inheritance Source, select None if the DNS server addresses are not inherited. Otherwise, specify the DNS server from which the profile should inherit settings. If you choose a DNS server, click Check inheritance source status to see that information.
4. Specify the IP address of the Primary DNS server, or leave as inherited if you chose an Inheritance Source.
  
  Keep in mind that if you specify an FQDN instead of an IP address, the DNS for that FQDN is resolved in DeviceVirtual SystemsDNS Proxy.
5. Specify the IP address of the Secondary DNS server, or leave as inherited if you chose an Inheritance Source.
Configure the service route that the firewall automatically uses, based on whether the target DNS Server has an IP address family type of IPv4 or IPv6.
1. Click Service Route IPv4 to enable the subsequent interface and IPv4 address to be used as the service route, if the target DNS address is an IPv4 address.
2. Specify the Source Interface to select the DNS server’s source IP address that the service route will use. The firewall determines which virtual router is assigned that interface, and then does a route lookup in the virtual router routing table to reach the destination network (based on the Primary DNS address).
3. Specify the IPv4 Source Address from which packets going to the DNS server are sourced.
4. Click Service Route IPv6 to enable the subsequent interface and IPv6 address to be used as the service route, if the target DNS address is an IPv6 address.
5. Specify the Source Interface to select the DNS server’s source IP address that the service route will use. The firewall determines which virtual router is assigned that interface, and then does a route lookup in the virtual router routing table to reach the destination network (based on the Primary DNS address).
6. Specify the IPv6 Source Address from which packets going to the DNS server are sourced.
7. Click OK.
Commit the configuration.
Click OK and Commit.

Configure a DNS Proxy Object

Configure a Web Proxy

Next-Generation Firewall Docs

Configure a DNS Server Profile

Next-Generation Firewall Docs

Configure a DNS Server Profile

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner