DNS Rewrite for Destination NAT

Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the NAT rule.
When you use destination NAT to perform a static translation from one IPv4 address to a different IPv4 address, you may also be using DNS services on one side of the firewall to resolve FQDNs for a client. When the DNS response containing the IP address traverses the firewall to go to the client, the firewall doesn’t perform NAT on that IP address, meaning the DNS server provides an internal IP address to an external device, or vice versa. This results in the DNS client being unable to connect to the destination service.
Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (from the A Record) based on the NAT policy rule. The firewall performs NAT on the IP address (the FQDN resolution) in the DNS response before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service. A single NAT policy rule causes the firewall to perform NAT on packets that match the rule, and also perform NAT on IP addresses in DNS responses when that IP address (from the A Record) matches the original destination address or translated destination address in the NAT rule.
You must specify how the firewall performs NAT on the IP address in the DNS response relative to the NAT rule:
reverse
or
forward
. For example, if you enable DNS rewrite with the
reverse
setting in a destination NAT rule that performs static translation of IP address
1.1.1.10 to 192.168.1.10
, the firewall rewrites a DNS response (that matches the rule) in the reverse way, translating
192.168.1.10 to 1.1.1.10
. If you select the
forward
setting, the firewall rewrites a DNS response (that matches the rule) in the same way as the destination NAT rule, translating
1.1.1.10 to 192.168.1.10
. Determine which setting to configure based on your DNS rewrite use case.
You can enable DNS rewrite only for a NAT policy rule of type
ipv4
and a destination address translation type of
Static IP
. DNS rewrite requires Applications and Threats content update 8147 or a later version.
  1. Create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses in DNS responses that match the rule.
    1. Select
      Policies
      NAT
      and
      Add
      a NAT policy rule.
    2. For
      NAT Type
      , select
      ipv4
      .
    3. On the
      Original Packet
      tab, for
      Source Zone
      ,
      Add
      the appropriate zone.
    4. For
      Destination Zone
      , select the appropriate zone.
    5. (
      Optional
      )
      Add
      Source Address
      ,
      Destination Address
      ,
      Destination Interface
      , and/or
      Service
      to further define the rule.
    6. On the
      Translated Packet
      tab, for Destination Address Translation, select
      Translation Type
      to be
      Static IP
      .
    7. Enter the
      Translated Address
      (the destination IP address to which the firewall translates the original destination IP address).
    8. Enable DNS Rewrite
      and select a
      Direction
      :
      • Select
        reverse
        (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies.
      • Select
        forward
        when the IP address in the DNS response requires the same translation that the NAT rule specifies.
      nat_enable_dns_rewrite_new.png
    9. Click
      OK
      .
  2. Commit
    your changes.

Recommended For You