Multi-Tenant DNS Deployments
The firewall determines how to handle DNS requests based on where the request originated. An environment where an ISP has multiple tenants on a firewall is known as multi-tenancy. There are three use cases for multi-tenant DNS deployments:
- Global Management DNS Resolution—The firewall needs DNS resolution for its own purposes, for example, the request comes from the management plane to resolve an FQDN for a management event such as a software update service. The firewall uses the service route to get to a DNS server because DNS request isn’t coming in on a specific virtual router.
- Policy and Report FQDN Resolution for a Virtual System—For DNS queries from a security policy, a report, or a service, you can specify a set of DNS servers specific to the virtual system (tenant) or you can default to the global DNS servers. If your use case requires a different set of DNS servers per virtual system, you must configure a DNS Proxy Object. The resolution is specific to the virtual system to which the DNS proxy is assigned. If you don’t have specific DNS servers applicable to this virtual system, the firewall uses the global DNS settings.
- Dataplane DNS Resolution for a Virtual System—This method is also known as a Network Request for DNS Resolution. The tenant’s virtual system can be configured so that specified domain names are resolved on the tenant’s DNS server in its network. This method supports split DNS, meaning that the tenant can also use its own ISP DNS servers for the remaining DNS queries not resolved on its own server. DNS Proxy Object rules control the split DNS; the tenant’s domain redirects DNS requests to its DNS servers, which are configured in a DNS server profile. The DNS server profile has primary and secondary DNS servers designated, and also DNS service routes for IPv4 and IPv6, which override the default DNS settings.
The following table summarizes the DNS resolution types. The binding location determines which DNS proxy object is used for the resolution. For illustration purposes, the use cases show how a service provider might configure DNS settings to provide DNS services for resolving DNS queries required on the firewall and for tenant (subscriber) virtual systems.
Location: Specific Vsys
Firewall DNS resolution—performed by management plane
Illustrated in Use Case 1
Security profile, reporting, and server profile resolution—performed by management plane
Same behavior as Use Case 1
Binding: Specific vsys
Illustrated in Use Case 2
DNS proxy resolution for DNS client hosts connected to interface on firewall, going through the firewall to a DNS Server—performed by dataplane
Service Route: Interface and IP address on which the DNS Request was received.
Illustrated in Use Case 3
DNS Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name, such as www.paloaltonetworks.com, to an IP address so that users ...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolut...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System In this use ...
Use Case 1: Firewall Requires DNS Resolution
Use Case 1: Firewall Requires DNS Resolution In this use case, the firewall is the client requesting DNS resolutions of FQDNs for Security policy rules, ...
Use Case 3: Firewall Acts as DNS Proxy Between Client and S...
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server In this use case, the firewall is located between a DNS client and ...
DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...
DNS Proxy Object
DNS Proxy Object When configured as a DNS proxy, the firewall is an intermediary between DNS clients and servers; it acts as a DNS server ...
Configure a DNS Proxy Object
Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...
Global Services Settings
Global Services Settings Device > Setup > Services To control and redirect DNS queries between shared and specific virtual systems, you can use a DNS ...
Network > DNS Proxy
Network > DNS Proxy DNS servers perform the service of resolving a domain name with an IP address and vice versa. When you configure the ...