>
    DNS Resolution for Mobile Users—Explicit Proxy Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. DNS Resolution for Mobile Users—Explicit Proxy Deployments
    Download PDF
    Prisma Access

    DNS Resolution for Mobile Users—Explicit Proxy Deployments

    Table of Contents

    DNS Resolution for Mobile Users—Explicit Proxy Deployments

    Shows the possible configurations you can use for Prisma Access to resolve DNS queries for Explicit Proxy users.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • If you'd like to use this feature in your Prisma Access environment, get in touch with your account team to learn more.
    • Mobile User license
    • Prisma Access version 6.0
    • Panorama plugin version 6.0
    Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. Prisma Access proxies the DNS request based on the configuration of your DNS servers. Explicit Proxy supports the following DNS functionalities:
    • Using a third-party browser with explicit proxy
    • Using a per-region DNS server with Prisma Access Browser
    • DNS Proxy for explicit proxy configuration takes precedence over internal DNS Servers settings defined underPrisma Access Setup.
    • After enabling the DNS Proxy for explicit proxy, you have to migrate the existing DNS configuration from Prisma Access SetupInternal DNS Servers to WorkflowsPrisma Access SetupExplicit ProxyInfrastructure SettingsDNS Proxy.

    DNS Resolution for Mobile Users—Explicit Proxy Deployments (Strata Cloud Manager)

    This task shows the possible configurations you can use for Prisma Access to resolve DNS queries for Explicit Proxy users using Strata Cloud Manager.
    To configure DNS Proxy settings, complete the following steps:
    1. Add an Explicit Proxy DNS server rule.
      1. Go to WorkflowsPrisma Access SetupExplicit ProxyInfrastructure Settings.
      2. Click the settings icon and go to Client DNS.
      3. Add Region and give it a unique name.
      4. If you specify multiple proxy settings with a mix of Worldwide and theater settings, Prisma Access uses the settings for the location group, then theater, then Worldwide. Prisma Access evaluates the rules from top to bottom in the list.
        Select a region or location or select Worldwide.
      5. Add Region and give it a unique name.
      6. Add the DNS Server's IP address.
    2. Choose whether or not you want Prisma Access to Resolve internal domains; if you do, Add one or more Internal Domain Resolve Rules.
    3. Currently, Internal Domain Resolve Rules is only supported for Prisma Access Browser and Agent Proxy.
      Add and define the Internal Domain Resolve Rules.
    4. Add a unique Name for the rule and a custom IP address under Primary DNS and Secondary DNS.
    5. Select Prisma Access Default to use the default Prisma Access DNS server to resolve internal domains. If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain List.
    6. If you have a Custom DNS server that can access your internal domains, specify the Primary DNS and Secondary DNS server IP addresses.
    7. If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain Lists. Specify an asterisk in front of the domain; for example, *.acme.com.
    8. Use Static IP entries to resolve FQDNs to specific IP addresses.
    9. Add UDP Queries. You can add Interval (Sec) and specify the number of Attempts for the query.
    10. If you want to enable handling of DNS RCODEs, enable Advanced RCODE Support to allow the primary DNS server to fail over to the secondary DNS server, and Save.
      A DNS response code of SERVFAIL refers to a communication error with the primary DNS server, and a DNS response code of REFUSED means that the primary DNS server refused to provide the requested information. In both cases, the service fails over to the secondary DNS server.
    11. Push Config to save and push your configuration changes.

    DNS Resolution for Mobile Users—Explicit Proxy Deployments (Panorama)

    This task shows the possible configurations you can use for Prisma Access to resolve DNS queries for Explicit Proxy users.
    To configure DNS Proxy settings, complete the following steps:
    1. Add an Explicit Proxy DNS server rule.
      1. Go to PanoramaCloud ServicesConfigurationExplicit ProxyExplicit Proxy Connection Setup.
      2. Select ConfigureNetwork Services.
      3. Add to add a region. Select a region or location or select Worldwide.
      4. Add a unique RULE NAME. If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the DOMAIN LIST. Specify an asterisk in front of the domain; for example, *.acme.com.
      5. Add a custom IP address under PRIMARY DNS and SECONDARY DNS. You can either Use Cloud Default or use a Custom DNS Server.
      6. If you have a Custom DNS Server that can access your internal domains, specify the Primary DNS and Secondary DNS server IP addresses.
      7. Select OK to save the region and the rule.
      8. Use Static IP entries to resolve FQDNs to specific IP addresses.
      9. Add UDP Queries Retries. You can add Interval (Sec) and specify the number of Attempts for the query.
      10. If you want to enable handling of DNS RCODEs, enable Advanced RCODE Support to allow the primary DNS server to fail over to the secondary DNS server, and OK.
        A DNS response code of SERVFAIL refers to a communication error with the primary DNS server, and a DNS response code of REFUSED means that the primary DNS server refused to provide the requested information. In both cases, the service fails over to the secondary DNS server.
      11. Commit and push to Explicit_Proxy_Device_Group.

    © 2025 Palo Alto Networks, Inc. All rights reserved.