Use NDP to manage IPv6 hosts; configure RDNS servers and DNS search list for IPv6
router advertisements.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by PAN-OS or Panorama)
| |
The firewall implementation of
Neighbor Discovery (ND) is enhanced so
that you can provision IPv6 hosts with the Recursive DNS Server (RDNSS) Option and
DNS Search List (DNSSL) Option per
RFC 6106,
IPv6 Router Advertisement Options for DNS Configuration.
When you
Configure
Layer 3 Interfaces, you configure these DNS options on the firewall so
the firewall can provision your IPv6 hosts. Therefore, you don’t need a separate
DHCPv6 server to provision the hosts. The firewall sends IPv6 Router Advertisements
(RAs) containing these options to IPv6 hosts as part of their DNS configuration to
fully provision them to reach internet services. Thus, your IPv6 hosts are
configured with:
The addresses of RDNS servers that can resolve DNS queries.
A list of domain names (suffixes) that the DNS client appends (one at a time)
to an unqualified domain name before entering the domain name into a DNS
query.
IPv6 Router Advertisement for DNS configuration is supported for Ethernet interfaces,
subinterfaces, Aggregated Ethernet interfaces, and Layer 3 VLAN interfaces on all
PAN-OS platforms.
The capability of the firewall to send IPv6 RAs for DNS
configuration allows the firewall to perform a role similar to DHCP, and is
unrelated to the firewall being a DNS proxy, DNS client or DNS server.
After you configure the firewall with the addresses of RDNS servers, the firewall
provisions an IPv6 host (the DNS client) with those addresses. The IPv6 host uses
one or more of those addresses to reach an RDNS server. Recursive DNS refers to a
series of DNS requests by an RDNS Server, as shown with three pairs of queries and
responses in the following figure. For example, when a user tries to access
www.paloaltonetworks.com, the local browser sees that it does not have the IP
address for that domain name in its cache, nor does the client’s operating system
have it. The client’s operating system launches a DNS query to a Recursive DNS
Server belonging to the local ISP.
An IPv6 Router Advertisement can contain multiple DNS Recursive Server Address
options, each with the same or different lifetimes. A single DNS Recursive DNS
Server Address option can contain multiple Recursive DNS Server addresses as long as
the addresses have the same lifetime.
A DNS Search List is a list of domain names (suffixes) that the firewall advertises
to a DNS client. The firewall thus provisions the DNS client to use the suffixes in
its unqualified DNS queries. The DNS client appends the suffixes, one at a time, to
an unqualified domain name before it enters the name into a DNS query, thereby using
a fully qualified domain name (FQDN) in the DNS query. For example, if a user (of
the DNS client being configured) tries to submit a DNS query for the name “quality”
without a suffix, the router appends a period and the first DNS suffix from the DNS
Search List to the name and transmits a DNS query. If the first DNS suffix on the
list is “company.com”, the resulting DNS query from the router is for the FQDN
“quality.company.com”.
If the DNS query fails, the client appends the second DNS suffix from the list to the
unqualified name and transmits a new DNS query. The client uses the DNS suffixes in
order until a DNS lookup succeeds (ignoring the remaining suffixes) or the router
has tried all of the suffixes on the list.
You configure the firewall with the suffixes that you want to provide to the DNS
client router in an ND DNSSL option; the DNS client receiving the DNS Search List
option is provisioned to use the suffixes in its unqualified DNS queries.
Perform this task to configure IPv6 router advertisements for DNS configuration of IPv6 hosts.
You will specify RDNS servers and a DNS search list.
