Destination NAT with DNS Rewrite Use Cases

The destination NAT topology with a DNS Server and the DNS response determine how you configure DNS Rewrite (in the reverse or forward direction).
When you use destination NAT to perform a static translation from one IPv4 address to a different IPv4 address, you may also be using DNS services on one side of the firewall to resolve FQDNs for a client. When the DNS response containing the IP address traverses the firewall to go to the client, the firewall doesn’t perform NAT on that IP address, so the DNS server provides an internal IP address to an external device, or vice versa, resulting in the DNS client being unable to connect to the destination service.
Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (from the A Record) based on the translated IP address configured for the NAT policy rule. The firewall performs NAT on the IPv4 address (the FQDN resolution) in the DNS response before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service. A single NAT policy rule causes the firewall to perform NAT on packets that match the rule, and also causes the firewall to perform NAT on IP addresses in DNS responses that match the original destination address or translated destination address in the rule. You must specify how the firewall performs NAT on the IP address in the DNS response relative to the NAT rule: reverse or forward. For example:
  • If you enable DNS rewrite with the reverse setting in a NAT rule that performs static translation of IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response in the reverse way, translating 192.168.1.10 to 1.1.1.10.
  • If you enable DNS rewrite with the forward setting in a NAT rule that performs static translation of IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response in the same way, translating 1.1.1.10 to 192.168.1.10.
If you have an overlapping NAT rule with DNS Rewrite disabled, and a NAT rule below it that has DNS Rewrite enabled and is included in the overlap, the firewall rewrites the DNS response according to the overlapped NAT rule (in either reverse or forward setting). The rewrite takes precedence and the order of the NAT rules is ignored.
Consider the use cases for configuring DNS rewrite:

Related Documentation