Enable DNS Proxy

Domain name system (DNS) servers translate user-friendly domains to the associated IP addresses which locate and identify the corresponding resources. A Palo Alto Networks firewall intermediate to clients and servers can act as a DNS proxy to resolve domain name queries.
The DNS proxy feature enables the firewall to:
  • Quickly, efficiently, and locally resolve domain name queries based on static and cached DNS entries.
  • Reach out to specific DNS servers to resolve certain types of DNS requests (for example, the firewall can resolve corporate domains based on a corporate DNS server hostname-to-IP-address mappings, and resolve other domains using a public or ISP DNS server).
  1. Specify the interfaces on which you want the firewall to listen for DNS requests.
    1. Select
      Network
      DNS Proxy
      and
      Add
      a new object.
    2. Verify that
      Enable
      is selected and
      Name
      the object.
    3. Add
      one or more
      Interface
      on which the firewall listens for DNS requests.
    4. (Virtual Systems Only)
      Allow the DNS proxy object to be shared across all virtual systems, or set the
      Location
      to apply the DNS proxy object settings to a specific virtual system.
  2. Define the DNS server with which the firewall should communicate to resolve DNS requests.
    If you are enabling DNS proxy on a virtual system, you must select
    New
    in the Server Profile drop-down first, and then continue with either of the following options.
    Specify DNS Servers
    1. Set
      Inheritance Source
      to
      none
      .
    2. Enter a the
      Primary
      DNS server IP address or address object.
    3. Enter the
      Secondary
      DNS server IP address or address object.
    Use Inherited DNS Servers
    Select an
    Inheritance Source
    from which the firewall can use existing DNS server settings for the DNS proxy object.
    Only interfaces configured to be DHCP client interfaces and PPPoE client interfaces are available as inheritance sources for DNS server settings. In this case, the DNS server settings the client interface dynamically receives from a DHCP server are also used to populate the
    Primary
    and
    Secondary
    DNS server settings (just continue to set both of these fields to
    inherited
    ).
  3. Enable the firewall to reach out to certain DNS servers to resolve specific domains.
    For example, the firewall can forward corporate domains to a corporate DNS server for domain name resolution.
    1. Select
      DNS Proxy Rules
      ,
      Add
      a rule, and give the rule a descriptive
      Name
      .
    2. Turn on caching of domains resolved by this mapping
      to enable the firewall to save recently resolved DNS queries in order to quickly resolve future matching queries.
    3. Add one or more
      Domain Name
      .
    4. Enter the IP addresses or address objects for the
      Primary
      and
      Secondary
      DNS servers. The firewall communicates with these servers to resolve DNS requests for the listed domain names.
      If you are enabling DNS proxy on a virtual system, you can instead configure a DNS Server Profile to define DNS settings for the virtual system, including the primary and secondary DNS server.
  4. Set up static FQDN-to-IP address entries that the firewall can resolve locally, without having to reach out to a DNS server.
    1. Select
      Static Entries
      .
    2. Add
      and
      Name
      a new static mapping entry.
    3. Enter the
      FQDN
      that you want the firewall to resolve.
    4. Add
      one or more IP
      Address
      to map to the domain you entered in the last step.
  5. Enable caching for resolved hostname-to-IP-address mappings, and customize additional DNS settings.
    Select
    Advanced
    and configure settings to:
    • Store recently resolved hostname-to-IP-address mappings. Select
      Cache
      and continue to specify the number of entries for the cache to hold and the number of hours after which all cached DNS entries are removed.
    • Enable DNS queries using TCP.
    • Specify settings for UDP query retries.
  6. Enable evasion signatures.
    When DNS proxy is enabled, evasion signatures that detect crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domain specified in the original DNS query.
    1. Install the Applications and Threats content version 579 or later:
      1. Select
        Device
        Dynamic Updates
        .
      2. Check Now
        to get the latest Applications and Threats content update.
      3. Download and Install Applications and Threats content version 579.
    2. Define how traffic matched to evasion signatures should be enforced:
      1. Select
        Objects
        Security Profiles
        Anti-Spyware
        and
        Add
        or modify an Anti-spyware profile.
      2. Select
        Exceptions
        and select
        Show all signatures
        .
      3. Filter signatures based on the keyword
        evasion
        .
      4. For all evasion signatures, set the
        Action
        to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the action to alert on or block.
      5. Click
        OK
        to save the updated Anti-spyware profile.
      6. Attach the Anti-spyware profile to a security policy rule: Select
        Policies
        Security
        , select the desired policy to modify and then click the
        Actions
        tab. In Profile Settings, click the drop-down next to
        Anti-Spyware
        and select the anti-spyware profile you just modified to enforce evasion signatures.
  7. Commit
    your changes.
    Learn more about DNS features...

Related Documentation