DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers need not store a huge volume of domain names mapped to IP addresses. DNS employs a client/server model; a DNS server resolves a query for a DNS client by looking up the domain in its cache and if necessary sending queries to other servers until it can respond to the client with the corresponding IP address.
The DNS structure of domain names is hierarchical; the top-level domain (TLD) in a domain name can be a generic TLD (gTLD): com, edu, gov, int, mil, net, or org (gov and mil are for the United States only) or a country code (ccTLD), such as au (Australia) or us (United States). ccTLDs are generally reserved for countries and dependent territories.
A fully qualified domain name (FQDN) includes at a minimum a host name, a second-level domain, and a TLD to completely specify the location of the host in the DNS structure. For example, www.paloaltonetworks.com is an FQDN.
Wherever a Palo Alto Networks firewall uses an FQDN in the user interface or CLI, the firewall must resolve that FQDN using DNS. Depending on where the FQDN query originates, the firewall determines which DNS settings to use to resolve the query.
A DNS record of an FQDN includes a time-to-live (TTL) value, and by default the firewall refreshes each FQDN in its cache based on that individual TTL provided the DNS server, as long as the TTL is greater than or equal to the Minimum FQDN Refresh Time you configure on the firewall, or the default setting of 30 seconds if you don’t configure a minimum. Refreshing an FQDN based on its TTL value is especially helpful for securing access to cloud platform services, which often require frequent FQDN refreshes to ensure highly available services. For example, cloud environments that support autoscaling depend on FQDN resolutions for dynamically scaling services up and down, and fast resolutions of FQDNs are critical in such time-sensitive environments.
By configuring a minimum FQDN refresh time, you limit how small a TTL value the firewall honors. If your IP addresses don’t change very often you may want to set a higher Minimum FQDN Refresh Time so that the firewall doesn’t refresh entries unnecessarily. The firewall uses the higher of the DNS TTL time and the configured Minimum FQDN Refresh Time.
For example, two FQDNs have the following TTL values. The Minimum FQDN Refresh Time overrides smaller (faster) TTL values.
If Minimum FQDN Refresh = 26
Actual Refresh Time
The FQDN refresh timer starts when the firewall receives a DNS response from the DNS server or DNS proxy object that is resolving the FQDN.
Additionally, you can set a stale timeout to configure how long the firewall continues to use stale (expired) FQDN resolutions in the event of an unreachable DNS Server. At the end of the stale timeout period, if the DNS server is still unreachable, the stale FQDN entries become unresolved (the firewall removes stale FQDN entries).
The following firewall tasks are related to DNS:
- Configure your firewall with at least one DNS server so it can resolve hostnames. Configure primary and secondary DNS servers or a DNS Proxy object that specifies such servers, as shown in Use Case 1: Firewall Requires DNS Resolution.
- Customize how the firewall handles DNS resolution initiated by Security policy rules, reporting, and management services (such as email, Kerberos, SNMP, syslog, and more) for each virtual system, as shown in Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System.
- Configure the firewall to act as a DNS server for a client, as shown in Use Case 3: Firewall Acts as DNS Proxy Between Client and Server.
- Configure an Anti-Spyware profile to Use DNS Queries to Identify Infected Hosts on the Network.
- Enable Passive DNS Monitoring, which allows the firewall to automatically share domain-to-IP address mappings based on your network traffic with Palo Alto Networks. The Palo Alto Networks threat research team uses this information to gain insight into malware propagation and evasion techniques that abuse the DNS system.
- Enable Evasion Signatures and then enable evasion signatures for threat prevention.
- Configure an Interface as a DHCP Server. This enables the firewall to act as a DHCP Server and sends DNS information to its DHCP clients so the provisioned DHCP clients can reach their respective DNS servers.
Use Case 1: Firewall Requires DNS Resolution
Use Case 1: Firewall Requires DNS Resolution In this use case, the firewall is the client requesting DNS resolutions of FQDNs for Security policy rules, ...
FQDN Refresh Enhancement
By default, the firewall refreshes FQDNs based on the DNS TTL value for the FQDN as long as the TTL is greater than or equal ...
Global Services Settings
Global Services Settings Device > Setup > Services To control and redirect DNS queries between shared and specific virtual systems, you can use a DNS ...
Configure a DNS Proxy Object
Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...
DNS Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name, such as www.paloaltonetworks.com, to an IP address so that users ...
Multi-Tenant DNS Deployments
Multi-Tenant DNS Deployments The firewall determines how to handle DNS requests based on where the request originated. An environment where an ISP has multiple tenants ...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolut...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System In this use ...
DNS Proxy Object
DNS Proxy Object When configured as a DNS proxy, the firewall is an intermediary between DNS clients and servers; it acts as a DNS server ...
Use Case 3: Firewall Acts as DNS Proxy Between Client and S...
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server In this use case, the firewall is located between a DNS client and ...