DNS servers perform the service of resolving a domain name with an IP address and vice versa. When you configure the firewall as a DNS proxy, it acts as an intermediary between clients and servers and as a DNS server by resolving queries from its DNS cache or forwarding queries to other DNS servers. Use this page to configure the settings that determine how the firewall serves as a DNS proxy.
What do you want to know? See:
How does the firewall proxy DNS requests? DNS Proxy Overview
How do I configure a DNS proxy? DNS Proxy Settings
How do I configure static FQDN-to-IP address mappings?
What actions can I perform to manage DNS proxies? Additional DNS Proxy Actions
Want more information? DNS
DNS Proxy Overview
You can configure the firewall to act as a DNS server by creating a DNS proxy, selecting the interfaces the proxy applies to, and specifying the default DNS primary and secondary servers to which the firewall sends the DNS queries if it doesn’t find the domain name in its DNS proxy cache (and if the domain name doesn’t match a proxy rule).
To direct DNS queries to different DNS servers based on domain names, you can create DNS proxy rules. Specifying multiple DNS servers can ensure localization of DNS queries and increase efficiency. For example, you can forward all corporate DNS queries to a corporate DNS server and forward all other queries to ISP DNS servers.
Use the following tabs to define a DNS proxy (beyond the default DNS primary and secondary servers):
Static Entries —Allows you to configure static FQDN-to-IP address mappings that the firewall caches and sends to hosts in response to DNS queries. DNS Proxy Rules —Allows you to specify domain names and corresponding primary and secondary DNS servers to resolve queries that match the rule. If the domain name isn’t in the DNS proxy cache, the firewall searches for a match in the DNS proxy (on the interface on which the query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the firewall sends the query to the default DNS primary and secondary servers. You can enable caching of domains that match the rule. Advanced —Allows you to enable caching and control TCP queries and UDP Query Retries.
TCP or UDP DNS queries are sent through the configured interface. UDP queries switch over to TCP when a DNS query answer is too long for a single UDP packet.
DNS Proxy Settings
Click Add and configure the firewall to act as a DNS proxy. You can configure a maximum of 256 DNS proxies on a firewall.
DNS Proxy Setting Configured In Description
Enable DNS Proxy Select this option to enable DNS proxy.
Name Specify a name to identify the DNS proxy object (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location Specify the virtual system to which the DNS proxy object applies. If you choose Shared, the Server Profile field is not available. Enter the Primary and Secondary DNS server IP addresses or address objects. For a virtual system to use DNS Proxy, you must configure one first. Select Device > Virtual Systems, select a virtual system, and select a DNS Proxy.
Inheritance Source Select a source to inherit default DNS server settings. This is commonly used in branch office deployments where the firewall's WAN interface is addressed by DHCP or PPPoE.
Check inheritance source status Select this option to see the server settings that are currently assigned to the DHCP client and PPPoE client interfaces. These may include DNS, WINS, NTP, POP3, SMTP, or DNS suffix.
Server Profile Select or create a new DNS server profile. This field does not appear if the Location of virtual systems was specified as Shared.
Primary Secondary Specify the IP addresses of the default primary and secondary DNS servers to which this firewall (as DNS proxy) sends DNS queries. If the primary DNS server cannot be found, the secondary is used.
Interface Select Interface to specify the firewall interfaces to support the DNS proxy rules. Select an interface from the drop-down and click Add. You can add multiple interfaces. To delete an interface, select the interface and click Delete. An interface is not required if the DNS Proxy is used only for service route functionality. A destination service route should be used with a DNS proxy with no interface, if you want the source IP address to be set by the destination service route. Otherwise, the DNS proxy would select an interface IP address to use as a source (when no DNS service routes are set).
Name DNS Proxy > DNS Proxy Rules A name is required so that an entry can be referenced and modified via the CLI.
Turn on caching of domains resolved by this mapping Select this option to enable caching of domains that are resolved by this mapping.
Domain Name Click Add and enter one or more domain names to which the firewall compares incoming FQDNs. If the FQDN matches one of the domains in the rule, the firewall forwards the query to the Primary/Secondary DNS server specified for this proxy. To delete a domain name from the rule, select it and click Delete.
Primary/Secondary Enter the hostname or IP addresses of the primary and secondary DNS servers.
Name DNS Proxy > Static Entries Enter a name for the Static Entry.
FQDN Enter the Fully Qualified Domain Name (FQDN) that will be mapped to the static IP addresses defined in the Address field.
Address Click Add and enter one or more IP addresses that map to this domain. The firewall includes all of these addresses in its DNS response, and the client chooses which IP address to use. To delete an address, select the address and click Delete.
Cache DNS Proxy > Advanced Select this option to enable DNS caching. Leave Size and Timeout settings with default values. Beginning with PAN-OS 7.1.1 and for later releases, the DNS proxy automates these settings to maximize efficiency.
TCP Queries Select this option to enable DNS queries using TCP. Specify the upper limit on the number of concurrent pending TCP DNS requests ( Max Pending Requests) that the firewall will support (range is 64-256; default is 64).
UDP Queries Retries Specify settings for UDP query retries: Interval —Specify the time, in seconds, after which another request is sent if no response has been received (range is 1-30; default is 2). Attempts —Specify the maximum number of attempts (excluding the first attempt) after which the next DNS server is tried (range is 1-30; default is 5).
Additional DNS Proxy Actions
After configuring the firewall as a DNS Proxy, you can perform the following actions on the Network > DNS Proxy page to manage DNS proxy configurations:
Modify —To modify a DNS proxy, click into the name of the DNS proxy configuration. Delete —Select a DNS proxy entry and click Delete to remove the DNS proxy configuration. Disable —To disable a DNS proxy, click into the name of the DNS proxy entry and clear the Enable option. To enable a DNS proxy that is disabled, click into the name of the DNS proxy entry and select Enable.

Related Documentation