>
    Strata Copilot
    Configure Destination NAT with DNS Rewrite
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. NAT
    4. Configure NAT
    5. Configure Destination NAT with DNS Rewrite
    Download PDF
    Next-Generation Firewall

    Configure Destination NAT with DNS Rewrite

    Table of Contents

    Configure Destination NAT with DNS Rewrite

    Learn how to configure destination NAT with DNS rewrite.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses for Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    When you configure a destination NAT policy rule that performs static translation of IPv4 addresses, you can also configure the rule so that the firewall rewrites the IPv4 address in a DNS response based on the original or translated IP address configured for the rule. The firewall performs NAT on the IPv4 address (the FQDN resolution) in a DNS response (that matches the rule) before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service.
    View the DNS rewrite use cases to help you determine whether to specify that the rewrite occur in the reverse or forward direction.
    You cannot enable Bi-directional source address translation in the same NAT rule where you enable DNS rewrite.
    Perform this task to create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule. The rule also specifies that the firewall rewrite IP addresses in DNS responses when that IPv4 address (from the A Record) matches the original or translated destination address in the NAT rule.
    The matching order for DNS rewrite follows that of NAT policy rules; the first match encountered is the one applied.

    PAN-OS

    Learn how to configure destination NAT with DNS rewrite on PAN-OS.
    1. Log in to your NGFW.
    2. Select PoliciesNAT and Add a NAT policy rule.
    3. (Optional) On the General tab, enter a descriptive Name for the rule.
    4. For NAT Type, select ipv4.
    5. On the Original Packet tab, Add a Destination Address.
      You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address on the Original Packet tab is matched. DNS rewrite ignores all other fields on the Original Packet tab, unless you are configuring DNS rewrite with conditions.
    6. Select an applicable Service if necessary.
    7. In the Translated Packet window, select Destination Address Only.
    8. Set the Translation Type to Static IP.
    9. Select a Translated Address or enter a new address.
    10. Optional Enter a Translated Port.
    11. Enable DNS Rewrite and select a Direction:
      • Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
      • Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
    12. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) Make the DNS rewrite action for this rule conditional by enabling Match NAT Rule Source. Translate the IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.
      • The firewall increments the ctd_dns_rewrite_nat_source_match counter when a source IP address or source zone in a DNS response matches a source IP address or source zone configured in the Original Packet.
      • The firewall increments the ctd_dns_rewrite_nat_source_mismatch counter when a source IP address or source zone in a DNS response doesn't match a source IP address or source zone configured in the Original Packet.
    13. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude From Zone, Add one or more source zones to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any zone.
      When the client and server belong to different virtual systems, if you are configuring DNS rewrite in the server's virtual system, you can only exclude a source zone at the vsys level, meaning a zone between the two virtual systems.
    14. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) In Exclude Source Address, Add one or more source address objects or address groups or add a New Address to enter a source IP address to exclude from the DNS rewrite action in this rule, thus making the DNS rewrite action in this rule conditional. You cannot choose Any address. A static address group is supported as long as all of its members are a supported address type (IP Netmask or IP Range). To add a New Address, configure the following:
      1. Name of the IPv4 address.
      2. Description of the IPv4 address.
      3. Type of address—IP Netmask: Enter an IPv4 address or a network using the slash notation; for example 192.168.80.150 or 192.168.80.0/24. You can also enter an IPv6 address or an IPv6 address with its prefix; for example, 2001.db8:123::1 or 2001:db8:123::/64. You can exclude an IPv6 address even though DNS rewrite supports only IPv4 (because the client's underlying network may be IPv6, but the DNS client is requesting an A record [IPv4 address]). IP Range: Enter an IPv4 address range (for example, 10.0.0.1-10.0.0.4) or an IPv6 address range (for example, 2001:db8:123:1::1-2001:db8:123:1::11)
        When you Exclude Source Address:
        • Only IP Netmask and IP Range are supported.
        • The Any keyword is not allowed.
        • IP Wildcard Mask is not supported.
        • Incremental update is not supported, such as FQDN, Dynamic IP List, and Dynamic Address Group.
        • Static address group is supported as long as all of its members have a supported address type.
      4. Add one or more Tags to the address.
      A DNS rewrite mapping rule isn't matched in any of the following conditions:
      • The IPv4 address in the DNS response doesn't match the IP range in the rule.
      • Match NAT Rule Source is enabled, and the DNS session's client doesn't match the source zone and source address configured in the NAT rule.
      • Exclude From Zone is configured and the DNS session's source zone is excluded.
      • Exclude Source Address is configured and the DNS session's source address is excluded.
    15. Click OK.
    16. Save your changes.

    Strata Cloud Manager

    Learn how to configure destination NAT with DNS rewrite on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessNetwork PoliciesNATAdd Rule.
    3. Enter a descriptive Name for your NAT policy rule.
    4. Optional Enter a Description.
    5. Select Pre-Rule or Post-Rule from the Position drop-down.
    6. For NAT Type, select Ipv4 Nat.
    7. On the Destination window under Original Packet, Add a Zone and an Interface, if any.
    8. Add Addresses, Add Address Groups,, and Add External Dynamic Lists.
      You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address under Original Packet is matched. DNS rewrite ignores all other fields on configured under Original Packet, unless you are configuring DNS rewrite with conditions.
    10. On the Translated Packet tab, for Destination Address Translation, select Translation Type to be Static IP.
    11. Select a Translated Address or enter a new address.
    12. Enable DNS Rewrite and select a Direction:
      • Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
      • Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
    13. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) Make the DNS rewrite action for this rule conditional by enabling Match NAT Rule Source. Translate the IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.
      • The firewall increments the ctd_dns_rewrite_nat_source_match counter when a source IP address or source zone in a DNS response matches a source IP address or source zone configured in the Original Packet.
      • The firewall increments the ctd_dns_rewrite_nat_source_mismatch counter when a source IP address or source zone in a DNS response doesn't match a source IP address or source zone configured in the Original Packet.
      • Exclude From Zone is configured and the DNS session's source zone is excluded.
      • Exclude Source Address is configured and the DNS session's source address is excluded.
    14. You can exclude zones or address to prevent the DNS rewrite mapping rule from matching those zones or addresses.
      1. Add Zones to exclude.
      2. Add Addresses and Add Address Groups to exclude.
    15. Click Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.