Domain name system (DNS) servers translate user-friendly domains to the associated IP addresses which locate and identify the corresponding resources. A Palo Alto Networks firewall intermediate to clients and servers can act as a DNS proxy to resolve domain name queries.
The DNS proxy feature enables the firewall to:
- Quickly, efficiently, and locally resolve domain name queries based on static and cached DNS entries.
- Reach out to specific DNS servers to resolve certain types of DNS requests (for example, the firewall can resolve corporate domains based on a corporate DNS server hostname-to-IP-address mappings, and resolve other domains using a public or ISP DNS server).
- Specify the interfaces on which you want the firewall to listen for DNS requests.
- SelectandNetworkDNS ProxyAdda new object.
- Verify thatEnableis selected andNamethe object.
- Addone or moreInterfaceon which the firewall listens for DNS requests.
- (Virtual Systems Only)Allow the DNS proxy object to be shared across all virtual systems, or set theLocationto apply the DNS proxy object settings to a specific virtual system.
- Define the DNS server with which the firewall should communicate to resolve DNS requests.Specify DNS Servers
Use Inherited DNS ServersSelect anInheritance Sourcefrom which the firewall can use existing DNS server settings for the DNS proxy object.Only interfaces configured to be DHCP client interfaces and PPPoE client interfaces are available as inheritance sources for DNS server settings. In this case, the DNS server settings the client interface dynamically receives from a DHCP server are also used to populate thePrimaryandSecondaryDNS server settings (just continue to set both of these fields toinherited).
- SetInheritance Sourcetonone.
- Enter a thePrimaryDNS server IP address or address object.
- Enter theSecondaryDNS server IP address or address object.
- Enable the firewall to reach out to certain DNS servers to resolve specific domains.For example, the firewall can forward corporate domains to a corporate DNS server for domain name resolution.
- SelectDNS Proxy Rules,Adda rule, and give the rule a descriptiveName.
- Turn on caching of domains resolved by this mappingto enable the firewall to save recently resolved DNS queries in order to quickly resolve future matching queries.
- Add one or moreDomain Name.
- Enter the IP addresses or address objects for thePrimaryandSecondaryDNS servers. The firewall communicates with these servers to resolve DNS requests for the listed domain names.
- Set up static FQDN-to-IP address entries that the firewall can resolve locally, without having to reach out to a DNS server.
- SelectStatic Entries.
- AddandNamea new static mapping entry.
- Enter theFQDNthat you want the firewall to resolve.
- Addone or more IPAddressto map to the domain you entered in the last step.
- Enable caching for resolved hostname-to-IP-address mappings, and customize additional DNS settings.SelectAdvancedand configure settings to:
- Store recently resolved hostname-to-IP-address mappings. SelectCacheand continue to specify the number of entries for the cache to hold and the number of hours after which all cached DNS entries are removed.
- Enable DNS queries using TCP.
- Specify settings for UDP query retries.
- Enable evasion signatures.When DNS proxy is enabled, evasion signatures that detect crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domain specified in the original DNS query.
- Install the Applications and Threats content version 579 or later:
- Select.DeviceDynamic Updates
- Check Nowto get the latest Applications and Threats content update.
- Download and Install Applications and Threats content version 579.
- Define how traffic matched to evasion signatures should be enforced:
- SelectExceptionsand selectShow all signatures.
- Filter signatures based on the keywordevasion.
- For all evasion signatures, set theActionto any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the action to alert on or block.
- ClickOKto save the updated Anti-spyware profile.
- Attach the Anti-spyware profile to a security policy rule: Select, select the desired policy to modify and then click thePoliciesSecurityActionstab. In Profile Settings, click the drop-down next toAnti-Spywareand select the anti-spyware profile you just modified to enforce evasion signatures.
- Commityour changes.