Neighbor Discovery Protocol (NDP) functions
for IPv6 in a capacity similar to ARP for IPv4. The firewall implementation
of Neighbor Discovery (ND) allows
you to provision IPv6 hosts with the Recursive DNS Server (RDNSS)
and DNS Search List (DNSSL) Options. You configure these DNS Options
on the firewall so the firewall can provision your IPv6 hosts; therefore
you don’t need a separate DHCPv6 server to provision the hosts.
The firewall sends IPv6 Router Advertisements (RAs) containing these
options to IPv6 hosts as part of their DNS configuration to fully
provision them to reach internet services. RFC 6106, IPv6
Router Advertisement Options for DNS Configuration, describes
Recursive DNS Server Addresses
DNS refers to a series of DNS requests by an RDNS Server to resolve
a domain name with an IP address. Configure the addresses of RDNS
Servers so the firewall can advertise them and thus provision IPv6
hosts with the addresses of RDNS servers that can resolve their
DNS queries. A single IPv6 RA uses one RDNS Server Option with multiple
addresses and the same lifetime, or multiple RDNS Server Options
with different lifetime values.
DNS Search List
—Configure a list of domain names (suffixes)
that you want to advertise to a DNS client. The firewall thus provisions
the DNS client to use the suffixes in its unqualified DNS queries.
The DNS client appends the suffixes, one at a time, to an unqualified
domain name before entering the name into a DNS query, thereby using
a fully qualified domain name (FQDN) in the query. For example,
if a user tries to submit a DNS query for the name “quality” without
a suffix, the DNS client appends a period and the first DNS suffix
from the DNS Search List to the name and transmits a DNS query.
If the first DNS suffix on the list is “company.com”, the resulting
DNS query is for the FQDN “quality.company.com”.
If the DNS
query fails, the client appends the second DNS suffix from the list
to the unqualified name and transmits a new DNS query. The client
uses the DNS suffixes in order until a DNS lookup succeeds (ignoring
the remaining suffixes) or the client has tried all suffixes on
the list. A single IPv6 RA uses one DNS Search List Option with
multiple domain names and the same lifetime, or multiple DNS Search
List Options with different lifetimes.
capability of the firewall to send IPv6 RAs for DNS configuration
allows the firewall to perform a role similar to DHCP, and is unrelated
to the firewall being a DNS proxy, DNS client or DNS server.
Configure Layer 3 Interfaces on the firewall
to send IPv6 Router Advertisements, and specify the RDNS Server
addresses and DNS suffixes for the firewall to advertise from this
IPv6 Router Advertisement for DNS Configuration is
supported for Ethernet interfaces, subinterfaces, Aggregated Ethernet
interfaces, and Layer 3 VLAN interfaces on all PAN-OS firewall models.