DNS Rewrite for Destination NAT
Create a destination NAT policy rule for static translation
that also rewrites the IPv4 address in a DNS response based on the
NAT rule.
When you use destination NAT to perform a
static translation from one IPv4 address to a different IPv4 address,
you may also be using DNS services on one side of the firewall to
resolve FQDNs for a client. When the DNS response containing the
IP address traverses the firewall to go to the client, the firewall
doesn’t perform NAT on that IP address, meaning the DNS server provides
an internal IP address to an external device, or vice versa. This
results in the DNS client being unable to connect to the destination
service.
Beginning with PAN-OS 9.0.2 and in later 9.0 releases,
you can configure the firewall to rewrite the IP address in the
DNS response (from the A Record) based on the NAT policy rule. The
firewall performs NAT on the IP address (the FQDN resolution) in
the DNS response before forwarding the response to the client; thus,
the client receives the appropriate address to reach the destination
service. A single NAT policy rule causes the firewall to perform
NAT on packets that match the rule, and also perform NAT on IP addresses
in DNS responses when that IP address (from the A Record) matches
the original destination address or translated destination address in
the NAT rule.
You must specify how the firewall performs NAT
on the IP address in the DNS response relative to the NAT rule:
reverse
or forward
.
For example, if you enable DNS rewrite with the reverse
setting
in a destination NAT rule that performs static translation of IP
address 1.1.1.10 to 192.168.1.10
, the firewall rewrites a
DNS response (that matches the rule) in the reverse way, translating 192.168.1.10
to 1.1.1.10
. If you select the forward
setting,
the firewall rewrites a DNS response (that matches the rule) in
the same way as the destination NAT rule, translating 1.1.1.10
to 192.168.1.10
. Determine which setting to configure based
on your DNS rewrite use case.You
can enable DNS rewrite only for a NAT policy rule of type
ipv4
and
a destination address translation type of Static IP
.
DNS rewrite requires Applications and Threats content update 8147
or a later version.- Create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses in DNS responses that match the rule.
- Select andAdda NAT policy rule.
- ForNAT Type, selectipv4.
- On theOriginal Packettab, forSource Zone,Addthe appropriate zone.
- ForDestination Zone, select the appropriate zone.
- (Optional)AddSource Address,Destination Address,Destination Interface, and/orServiceto further define the rule.
- On theTranslated Packettab, for Destination Address Translation, selectTranslation Typeto beStatic IP.
- Enter theTranslated Address(the destination IP address to which the firewall translates the original destination IP address).
- Enable DNS Rewriteand select aDirection:
- Selectreverse(default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies.
- Selectforwardwhen the IP address in the DNS response requires the same translation that the NAT rule specifies.
- ClickOK.
- Commityour changes.
