Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution
for Security Policies, Reporting, and Services within its Virtual
In this use case, multiple tenants (ISP subscribers) are defined on the firewall and each tenant is allocated a separate virtual system (vsys) and virtual router in order to segment its services and administrative domains. The following figure illustrates several virtual systems within a firewall.
Each tenant has its own server profiles for Security policy rules, reporting, and management services (such as email, Kerberos, SNMP, syslog, and more) defined in its own networks.
For the DNS resolutions initiated by these services, each virtual system is configured with its own DNS Proxy Object to allow each tenant to customize how DNS resolution is handled within its virtual system. Any service with a
Locationwill use the DNS Proxy object configured for the virtual system to determine the primary (or secondary) DNS server to resolve FQDNs, as illustrated in the following figure.
- For each virtual system, specify the DNS Proxy to use.
- SelectandDeviceVirtual SystemsAddtheIDof the virtual system (range is 1-255), and an optionalName, in this example, Corp1 Corporation.
- On theGeneraltab, choose aDNS Proxyor create a new one. In this example, Corp1 DNS Proxy is selected as the proxy for Corp1 Corporation’s virtual system.
- ForInterfaces, clickAdd. In this example, Ethernet1/20 is dedicated to this tenant.
- ForVirtual Routers, clickAdd. A virtual router named Corp1 VR is assigned to the virtual system in order to separate routing functions.
- Configure a DNS Proxy and a server profile to support DNS resolution for a virtual system.
- Selectand clickNetworkDNS ProxyAdd.
- ClickEnableand enter aNamefor the DNS Proxy.
- ForLocation, select the virtual system of the tenant, in this example, Corp1 Corporation (vsys6). (You could choose theSharedDNS Proxy resource instead.)
- ForServer Profile, choose or create a profile to customize DNS servers to use for DNS resolutions for this tenant’s security policy, reporting, and server profile services.If the profile is not already configured, in theServer Profilefield, clickDNS Server Profileto Configure a DNS Server Profile.The DNS server profile identifies the IP addresses of the primary and secondary DNS server to use for management DNS resolutions for this virtual system.
- Also for this server profile, optionally configure aService Route IPv4and/or aService Route IPv6to instruct the firewall whichSource Interfaceto use in its DNS requests. If that interface has more than one IP address, configure theSource Addressalso.
- ClickOKandCommit.Optional advanced features such as split DNS can be configured usingDNS Proxy Rules. A separate DNS server profile can be used to redirect DNS resolutions matching theDomain Namein aDNS Proxy Ruleto another set of DNS servers, if required. Use Case 3 illustrates split DNS.If you use two separate DNS server profiles in the same DNS Proxy object, one for the DNS Proxy and one for the DNS proxy rule, the following behaviors occur:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy rule’s service route. Using the DNS proxy object’s service route.
- If a service route is defined in the DNS server profile used by the DNS Proxy, it takes precedence and is used.
- If a service route is defined in the DNS server profile used in the DNS proxy rules, it is not used. If the service route differs from the one defined in the DNS server profile used by the DNS Proxy, the following warning message is displayed during theCommitprocess:
- If no service route is defined in any DNS server profile, the global service route is used if needed.
Use Case 3: Firewall Acts as DNS Proxy Between Client and S...
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server In this use case, the firewall is located between a DNS client and ...
Multi-Tenant DNS Deployments
Multi-Tenant DNS Deployments The firewall determines how to handle DNS requests based on where the request originated. An environment where an ISP has multiple tenants ...
DNS Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name, such as www.paloaltonetworks.com, to an IP address so that users ...
Use Case 1: Firewall Requires DNS Resolution
Use Case 1: Firewall Requires DNS Resolution In this use case, the firewall is the client requesting DNS resolutions of FQDNs for Security policy rules, ...
DNS Proxy Object
DNS Proxy Object When configured as a DNS proxy, the firewall is an intermediary between DNS clients and servers; it acts as a DNS server ...
DNS Proxy Settings
DNS Proxy Settings Click Add and configure the firewall to act as a DNS proxy. You can configure a maximum of 256 DNS proxies on ...
DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...
Configure a DNS Proxy Object
Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...
Configure a DNS Server Profile
Configure a DNS Server Profile Configure a DNS Server Profile , which simplifies configuration of a virtual system. The Primary DNS or Secondary DNS address ...