In this use case, the firewall is located between a DNS client and a DNS server. A DNS Proxy on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s network connected to the firewall interface. In such a scenario, the firewall performs DNS resolution on its dataplane.
This scenario happens to use split DNS , a configuration where DNS Proxy rules are configured to redirect DNS requests to a set of DNS servers based on a domain name match. If there is no match, the server profile determines the DNS servers to which to send the request, hence the two, split DNS resolution methods.
For dataplane DNS resolutions, the source IP address from the DNS proxy in PAN-OS to the outside DNS server would be the address of the proxy (the destination IP of the original request). Any service routes defined in the DNS Server Profile are not used. For example, if the request is from host 1.1.1.1 to the DNS proxy at 2.2.2.2, then the request to the DNS server (at 3.3.3.3) would use a source of 2.2.2.2 and a destination of 3.3.3.3.
Configure a DNS Proxy and DNS Proxy Rules
Configure a DNS Proxy and DNS proxy rules. Select Network > DNS Proxy and click Add. Click Enable and enter a Name for the DNS Proxy. For Location, select the virtual system of the tenant. For Interface, select the interface that will receive the DNS requests from the tenant’s hosts. Choose or create a Server Profile to customize DNS servers to resolve DNS requests for this tenant. On the DNS Proxy Rules tab, click Add and enter a Name for the rule. Select Turn on caching of domains resolved by this mapping. Click Add and enter one or more Domain Name (s) for the rule, one entry per row. Reference: DNS Proxy Rule and FQDN Matching describes how the firewall matches FQDNs to domain names in a DNS proxy rule. For DNS Server profile, select a profile from the drop-down. The firewall compares the domain name in the DNS request to the domain name(s) defined in the DNS Proxy Rules. If there is a match, the DNS Server profile defined in the rule is used to determine the DNS server. Click OK to save the rule. Click OK to save the DNS Proxy.