DNS Rewrite for Destination NAT
Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the NAT rule.
When you use destination NAT to perform a static translation from one IPv4 address to a different IPv4 address, you may also be using DNS services on one side of the firewall to resolve FQDNs for a client. When the DNS response containing the IP address traverses the firewall to go to the client, the firewall doesn’t perform NAT on that IP address, meaning the DNS server provides an internal IP address to an external device, or vice versa. This results in the DNS client being unable to connect to the destination service.
Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (from the A Record) based on the NAT policy rule. The firewall performs NAT on the IP address (the FQDN resolution) in the DNS response before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service. A single NAT policy rule causes the firewall to perform NAT on packets that match the rule, and also perform NAT on IP addresses in DNS responses when that IP address (from the A Record) matches the original destination address or translated destination address in the NAT rule.
You must specify how the firewall performs NAT on the IP address in the DNS response relative to the NAT rule:
forward. For example, if you enable DNS rewrite with the
reversesetting in a destination NAT rule that performs static translation of IP address
188.8.131.52 to 192.168.1.10, the firewall rewrites a DNS response (that matches the rule) in the reverse way, translating
192.168.1.10 to 184.108.40.206. If you select the
forwardsetting, the firewall rewrites a DNS response (that matches the rule) in the same way as the destination NAT rule, translating
220.127.116.11 to 192.168.1.10. Determine which setting to configure based on your DNS rewrite use case.
You can enable DNS rewrite only for a NAT policy rule of type
ipv4and a destination address translation type of
Static IP. DNS rewrite requires Applications and Threats content update 8147 or a later version.
- Create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses in DNS responses that match the rule.
- SelectandPoliciesNATAdda NAT policy rule.
- ForNAT Type, selectipv4.
- On theOriginal Packettab, forSource Zone,Addthe appropriate zone.
- ForDestination Zone, select the appropriate zone.
- (Optional)AddSource Address,Destination Address,Destination Interface, and/orServiceto further define the rule.
- On theTranslated Packettab, for Destination Address Translation, selectTranslation Typeto beStatic IP.
- Enter theTranslated Address(the destination IP address to which the firewall translates the original destination IP address).
- Enable DNS Rewriteand select aDirection:
- Selectreverse(default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies.
- Selectforwardwhen the IP address in the DNS response requires the same translation that the NAT rule specifies.
- Commityour changes.
Recommended For You
Recommended videos not found.