Domain name system (DNS) servers translate user-friendly domains to the associated IP addresses which locate and identify the corresponding resources. A Palo Alto Networks firewall intermediate to clients and servers can act as a DNS proxy to resolve domain name queries.
The DNS proxy feature enables the firewall to:
Quickly, efficiently, and locally resolve domain name queries based on static and cached DNS entries.
Reach out to specific DNS servers to resolve certain types of DNS requests (for example, the firewall can resolve corporate domains based on a corporate DNS server hostname-to-IP-address mappings, and resolve other domains using a public or ISP DNS server).
Enable the Firewall to Act as a DNS Proxy
Specify the interfaces on which you want the firewall to listen for DNS requests.
Network > DNS Proxy
a new object.
is selected and
one or more
on which the firewall listens for DNS requests.
(Virtual Systems Only)
Allow the DNS proxy object to be shared across all virtual systems, or set the
to apply the DNS proxy object settings to a specific virtual system.
Define the DNS server with which the firewall should communicate to resolve DNS requests.
If you are enabling DNS proxy on a virtual system, you must select
in the Server Profile
drop-down first, and then continue with either of the following options.
Specify DNS Servers
Enter a the
DNS server IP address or address object.
DNS server IP address or address object.
Use Inherited DNS Servers
from which the firewall can use existing DNS server settings for the DNS proxy object.
Only interfaces configured to be DHCP client interfaces and PPPoE client interfaces are available as inheritance sources for DNS server settings. In this case, the DNS server settings the client interface dynamically receives from a DHCP server are also used to populate the
DNS server settings (just continue to set both of these fields to
Enable the firewall to reach out to certain DNS servers to resolve specific domains.
For example, the firewall can forward corporate domains to a corporate DNS server for domain name resolution.
DNS Proxy Rules,
a rule, and give the rule a descriptive
Turn on caching of domains resolved by this mapping
to enable the firewall to save recently resolved DNS queries in order to quickly resolve future matching queries.
Add one or more
Enter the IP addresses or address objects for the
DNS servers. The firewall communicates with these servers to resolve DNS requests for the listed domain names.
If you are enabling DNS proxy on a virtual system, you can instead configure a DNS Server Profile
to define DNS settings for the virtual system, including the primary and secondary DNS server.
Set up static FQDN-to-IP address entries that the firewall can resolve locally, without having to reach out to a DNS server.
a new static mapping entry.
that you want the firewall to resolve.
one or more IP
to map to the domain you entered in the last step.
Enable caching for resolved hostname-to-IP-address mappings, and customize additional DNS settings.
and configure settings to:
Store recently resolved hostname-to-IP-address mappings. Select
and continue to specify the number of entries for the cache to hold and the number of hours after which all cached DNS entries are removed.
Enable DNS queries using TCP.
Specify settings for UDP query retries.
Enable evasion signatures.
When DNS proxy is enabled, evasion signatures that detect crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domain specified in the original DNS query.
Install the Applications and Threats content version 579 or later:
Device > Dynamic Updates.
to get the latest Applications and Threats content update.
Download and Install Applications and Threats content version 579.
Define how traffic matched to evasion signatures should be enforced:
Objects > Security Profiles > Anti-Spyware
or modify an Anti-spyware profile.
Show all signatures.
Filter signatures based on the keyword
For all evasion signatures, set the
to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the action to alert on or block.
to save the updated Anti-spyware profile.
Attach the Anti-spyware profile to a security policy rule: Select
Policies > Security, select the desired policy to modify and then click the
tab. In Profile Settings, click the drop-down next to
and select the anti-spyware profile you just modified to enforce evasion signatures.