Domain name system (DNS) servers translate user-friendly domains to the associated IP addresses which locate and identify the corresponding resources. A Palo Alto Networks firewall intermediate to clients and servers can act as a DNS proxy to resolve domain name queries.
The DNS proxy feature enables the firewall to:
Quickly, efficiently, and locally resolve domain name queries based on static and cached DNS entries. Reach out to specific DNS servers to resolve certain types of DNS requests (for example, the firewall can resolve corporate domains based on a corporate DNS server hostname-to-IP-address mappings, and resolve other domains using a public or ISP DNS server).
Enable the Firewall to Act as a DNS Proxy
Specify the interfaces on which you want the firewall to listen for DNS requests. Select Network > DNS Proxy and Add a new object. Verify that Enable is selected and Name the object. Add one or more Interface on which the firewall listens for DNS requests. (Virtual Systems Only) Allow the DNS proxy object to be shared across all virtual systems, or set the Location to apply the DNS proxy object settings to a specific virtual system.
Define the DNS server with which the firewall should communicate to resolve DNS requests. If you are enabling DNS proxy on a virtual system, you must select New in the Server Profile drop-down first, and then continue with either of the following options. Specify DNS Servers Set Inheritance Source to none. Enter a the Primary DNS server IP address or address object. Enter the Secondary DNS server IP address or address object. Use Inherited DNS Servers Select an Inheritance Source from which the firewall can use existing DNS server settings for the DNS proxy object. Only interfaces configured to be DHCP client interfaces and PPPoE client interfaces are available as inheritance sources for DNS server settings. In this case, the DNS server settings the client interface dynamically receives from a DHCP server are also used to populate the Primary and Secondary DNS server settings (just continue to set both of these fields to inherited).
Enable the firewall to reach out to certain DNS servers to resolve specific domains. For example, the firewall can forward corporate domains to a corporate DNS server for domain name resolution. Select DNS Proxy Rules, Add a rule, and give the rule a descriptive Name. Turn on caching of domains resolved by this mapping to enable the firewall to save recently resolved DNS queries in order to quickly resolve future matching queries. Add one or more Domain Name. Enter the IP addresses or address objects for the Primary and Secondary DNS servers. The firewall communicates with these servers to resolve DNS requests for the listed domain names. If you are enabling DNS proxy on a virtual system, you can instead configure a DNS Server Profile to define DNS settings for the virtual system, including the primary and secondary DNS server.
Set up static FQDN-to-IP address entries that the firewall can resolve locally, without having to reach out to a DNS server. Select Static Entries. Add and Name a new static mapping entry. Enter the FQDN that you want the firewall to resolve. Add one or more IP Address to map to the domain you entered in the last step.
Enable caching for resolved hostname-to-IP-address mappings, and customize additional DNS settings. Select Advanced and configure settings to: Store recently resolved hostname-to-IP-address mappings. Select Cache and continue to specify the number of entries for the cache to hold and the number of hours after which all cached DNS entries are removed. Enable DNS queries using TCP. Specify settings for UDP query retries.
Enable evasion signatures. When DNS proxy is enabled, evasion signatures that detect crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domain specified in the original DNS query. Install the Applications and Threats content version 579 or later: Select Device > Dynamic Updates. Check Now to get the latest Applications and Threats content update. Download and Install Applications and Threats content version 579. Define how traffic matched to evasion signatures should be enforced: Select Objects > Security Profiles > Anti-Spyware and Add or modify an Anti-spyware profile. Select Exceptions and select Show all signatures. Filter signatures based on the keyword evasion . For all evasion signatures, set the Action to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the action to alert on or block. Click OK to save the updated Anti-spyware profile. Attach the Anti-spyware profile to a security policy rule: Select Policies > Security, select the desired policy to modify and then click the Actions tab. In Profile Settings, click the drop-down next to Anti-Spyware and select the anti-spyware profile you just modified to enforce evasion signatures.
Commit your changes.
Learn more about DNS features... Use DNS queries to identify infected hosts on the network. Enable passive DNS collection for better threat intelligence. To work with DNS features and virtual systems, see DNS and learn how to configure a DNS proxy object and DNS server profiles for virtual systems.

Related Documentation