Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Use Case 3: Firewall Acts as DNS Proxy Between Client and
Server
In this use case, the firewall is located
between a DNS client and a DNS server. A DNS Proxy on the firewall
is configured to act as the DNS server for the hosts that reside
on the tenant’s network connected to the firewall interface. In
such a scenario, the firewall performs DNS resolution on its dataplane.

This scenario happens
to use split DNS, a configuration where DNS Proxy rules
are configured to redirect DNS requests to a set of DNS servers
based on a domain name match. If there is no match, the server profile
determines the DNS servers to which to send the request, hence the
two, split DNS resolution methods.
For dataplane DNS
resolutions, the source IP address from the DNS proxy in PAN-OS
to the outside DNS server would be the address of the proxy (the
destination IP of the original request). Any service routes defined
in the DNS Server Profile are not used. For example, if the request
is from host 172.16.1.1 to the DNS proxy at 192.168.1.1, then the
request to the DNS server (at 10.10.10.10) would use a source of
192.168.1.1 and a destination of 10.10.10.10.
- Selectand clickNetworkDNS ProxyAdd.
- ClickEnableand enter aNamefor the DNS Proxy.
- ForLocation, select the virtual system of the tenant, in this example, Corp1 Corporation (vsys6).
- ForInterface, select the interface that will receive the DNS requests from the tenant’s hosts, in this example, Ethernet1/20.
- Choose or create aServer Profileto customize DNS servers to resolve DNS requests for this tenant.
- On theDNS Proxy Rulestab,AddaNamefor the rule.
- (Optional) SelectTurn on caching of domains resolved by this mapping.
- Addone or moreDomain Name(s), one entry per row. DNS Proxy Rule and FQDN Matching describes how the firewall matches FQDNs to domain names in a DNS proxy rule.
- ForDNS Server profile, select a profile. The firewall compares the domain name in the DNS request to the domain name(s) defined in theDNS Proxy Rules. If there is a match, theDNS Server profiledefined in the rule is used to determine the DNS server.
- In this example, if the domain in the request matches myweb.corp1.com, the DNS server defined in the myweb DNS Server Profile is used. If there is no match, the DNS server defined in theServer Profile(Corp1 DNS Server Profile) is used.
- ClickOKtwice.