Create a destination NAT policy rule for static translation
that also rewrites the IPv4 address in a DNS response based on the
When you use destination NAT to perform a
static translation from one IPv4 address to a different IPv4 address,
you may also be using DNS services on one side of the firewall to
resolve FQDNs for a client. When the DNS response containing the
IP address traverses the firewall to go to the client, the firewall
doesn’t perform NAT on that IP address, meaning the DNS server provides
an internal IP address to an external device, or vice versa. This
results in the DNS client being unable to connect to the destination
Beginning with PAN-OS 9.0.2 and in later 9.0 releases,
you can configure the firewall to rewrite the IP address in the
DNS response (from the A Record) based on the NAT policy rule. The
firewall performs NAT on the IP address (the FQDN resolution) in
the DNS response before forwarding the response to the client; thus,
the client receives the appropriate address to reach the destination
service. A single NAT policy rule causes the firewall to perform
NAT on packets that match the rule, and also perform NAT on IP addresses
in DNS responses when that IP address (from the A Record) matches
the original destination address or translated destination address in
the NAT rule.
You must specify how the firewall performs NAT
on the IP address in the DNS response relative to the NAT rule:
For example, if you enable DNS rewrite with the
in a destination NAT rule that performs static translation of IP
220.127.116.11 to 192.168.1.10
, the firewall rewrites a
DNS response (that matches the rule) in the reverse way, translating
. If you select the
the firewall rewrites a DNS response (that matches the rule) in
the same way as the destination NAT rule, translating
can enable DNS rewrite only for a NAT policy rule of type
a destination address translation type of
DNS rewrite requires Applications and Threats content update 8147
or a later version.
Create a destination NAT policy rule that specifies
the firewall perform static translation of IPv4 addresses that match
the rule, and also specifies the firewall rewrite IP addresses in DNS responses that
match the rule.
NAT policy rule.
the appropriate zone.
further define the rule.
for Destination Address Translation, select
destination IP address to which the firewall translates the original
destination IP address).
Enable DNS Rewrite
when the IP address in the DNS response requires the opposite translation
that the NAT rule specifies.
when the IP address
in the DNS response requires the same translation that the NAT rule