Destination NAT with DNS Rewrite Use Cases
The destination NAT topology with a DNS Server and the DNS response determine how you configure DNS Rewrite (in the reverse or forward direction).
When you use destination NAT to perform a static translation from one IPv4 address to a different IPv4 address, you may also be using DNS services on one side of the firewall to resolve FQDNs for a client. When the DNS response containing the IP address traverses the firewall to go to the client, the firewall doesn’t perform NAT on that IP address, so the DNS server provides an internal IP address to an external device, or vice versa, resulting in the DNS client being unable to connect to the destination service.
Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (from the A Record) based on the translated IP address configured for the NAT policy rule. The firewall performs NAT on the IPv4 address (the FQDN resolution) in the DNS response before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service. A single NAT policy rule causes the firewall to perform NAT on packets that match the rule, and also causes the firewall to perform NAT on IP addresses in DNS responses that match the original destination address or translated destination address in the rule.
DNS rewrite occurs at the global level; the firewall maps the Destination Address on the Original Packet tab to the Destination Address on the Translated Packet tab. All other fields on the Original Packet tab are ignored. When a DNS response packet arrives, the firewall checks whether the response contains any A Record that matches one of the mapped destination addresses, based on the direction, as follows.
You must specify how the firewall performs NAT on the IP address in the DNS response relative to the NAT rule:
- reverse—If the DNS response matches theTranslatedDestination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address18.104.22.168 to 192.168.1.10, the firewall rewrites a DNS response of192.168.1.10 to 22.214.171.124.
- forward—If the DNS response matches theOriginalDestination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address126.96.36.199 to 192.168.1.10, the firewall rewrites a DNS response of188.8.131.52 to 192.168.1.10.
If you have an overlapping NAT rule with DNS Rewrite disabled, and a NAT rule below it that has DNS Rewrite enabled and is included in the overlap, the firewall rewrites the DNS response according to the overlapped NAT rule (in either
forwardsetting). The rewrite takes precedence and the order of the NAT rules is ignored.
Consider the use cases for configuring DNS rewrite:
Recommended For You
Recommended videos not found.