Focus

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

DNS Proxy Rule and FQDN Matching

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

In this use case, the firewall is located between a DNS client and a DNS server. A DNS Proxy on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s network connected to the firewall interface. In such a scenario, the firewall performs DNS resolution on its dataplane.

This scenario happens to use split DNS, a configuration where DNS Proxy rules are configured to redirect DNS requests to a set of DNS servers based on a domain name match. If there is no match, the server profile determines the DNS servers to which to send the request, hence the two, split DNS resolution methods.

For dataplane DNS resolutions, the source IP address from the DNS proxy in PAN-OS to the outside DNS server would be the address of the proxy (the destination IP of the original request). Any service routes defined in the DNS Server Profile are not used. For example, if the request is from host 172.16.1.1 to the DNS proxy at 192.168.1.1, then the request to the DNS server (at 10.10.10.10) would use a source of 192.168.1.1 and a destination of 10.10.10.10.

Select

Network

DNS Proxy

and click

Add

Click

Enable

and enter a

Name

for the DNS Proxy.

For

Location

, select the virtual system of the tenant, in this example, Corp1 Corporation (vsys6).

For

Interface

, select the interface that will receive the DNS requests from the tenant’s hosts, in this example, Ethernet1/20.

Choose or create a

Server Profile

to customize DNS servers to resolve DNS requests for this tenant.

On the

DNS Proxy Rules

tab,

Add

Name

for the rule.

(Optional) Select

Turn on caching of domains resolved by this mapping

Add

one or more

Domain Name

(s), one entry per row. DNS Proxy Rule and FQDN Matching describes how the firewall matches FQDNs to domain names in a DNS proxy rule.

For

DNS Server profile

, select a profile. The firewall compares the domain name in the DNS request to the domain name(s) defined in the

DNS Proxy Rules

. If there is a match, the

DNS Server profile

defined in the rule is used to determine the DNS server.

In this example, if the domain in the request matches myweb.corp1.com, the DNS server defined in the myweb DNS Server Profile is used. If there is no match, the DNS server defined in the

Server Profile

(Corp1 DNS Server Profile) is used.

Click

twice.

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

DNS Proxy Rule and FQDN Matching

Next-Generation Firewall Docs

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

Next-Generation Firewall Docs

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner