>
    Strata Copilot
    Configure System for DNS Survivability
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Sites and Devices
    5. Use External Services for Monitoring
    6. Prisma SD-WAN DNS Use Cases
    7. Configure System for DNS Survivability
    Download PDF
    Prisma SD-WAN

    Configure System for DNS Survivability

    Table of Contents

    Configure System for DNS Survivability

    Prisma SD-WAN Configure DNS Survivability Use case.The DNS service configuration is now enabled on the ION device and will answer DNS queries on the selected interfaces.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    In the modern branch, most systems rely heavily on SaaS solutions for most day to day tasks. These include productivity tools such as Office 365, credit card processing systems such as Square, and POS (point-of-sale) systems such as Aloha; all delivered from the public internet. Besides DNS resolution, these systems have no dependency on private networks.
    Using the Prisma SD-WAN DNS service, the system can be configured to use public internet DNS systems by default while sending internal domain name resolution requests to private DNS servers in the network. The majority of site services remain active and functional if the branch is unable to connect with the centralized, private DNS servers.
    DNS and Trusted SaaS App Traffic Flow before Prisma SD-WAN
    When the branch PC sends a DNS resolution request to the DNS server located in the central data center, the data center DNS server receives the request and responds, if known or cached. Else, forwards the request to the upstream DNS server.
    The branch PC receives the DNS response with the IP address information for the trusted SaaS application. The connection request is sent to the destination server. The data center firewall receives the inbound connection request from the WAN edge MPLS router and forwards it to the internet.
    The SaaS service receives the TCP connection request and sends an acknowledgment back to the data center firewall. The branch PC receives the TCP connection acknowledgment.
    DNS and Trusted SaaS App Traffic Flow After Prisma SD-WAN
    When the branch PC sends the DNS resolution request to the local branch ION, configured as the primary DNS server, the ION DNS service receives the request and responds if the domain record is cached. Else, it forwards the request to the upstream DNS server based on the configuration. The internet DNS server receives the request and responds to the branch ION. The branch ION forwards the response to the branch PC.
    The branch PC receives the DNS response with the IP address information for the trusted SaaS application, and the connection request is sent to the destination server. The branch ION receives a connection request for the trusted SaaS application and sends it directly onto the internet path per policy.
    The SaaS service receives the TCP connection request and sends an acknowledgment back to the branch ION. The branch PC receives the TCP connection acknowledgment.
    Configure the system to facilitate the DNS survivability use case.
    1. SelectConfigurationPrisma SD-WANProfiles and TemplatesDNSDNS Service Rolesand create a new service role called Listen and Forward. Select DNS ServiceDNS Service Profiles and click to Create DNS Profile a new DNS service profile.
    2. On the Basic screen, enter a name for the DNS profile and add a DNS Server.
      1. Specify the internal DNS server IP address.
      2. Select Domain Names and define all internal top-level domain names. For example, internal.com.
      3. Specify the Listen and Forward DNS Service Roles created in Step 1.
      4. Click Save.
        Repeat the procedure per internal DNS server system.
    3. Add a DNS Server from DNS Servers.
      1. Specify the internet DNS Server IP address.
      2. Specify the DNS Service Roles, Listen and Forward, created in Step 1.
        Do not enter the Domain Name.
      3. Click Save.
        Repeat the procedure per internet DNS server system.
      4. Click Save and Submit.
    4. Configure the ION device to use the DNS service.
      1. Navigate to the ION configuration page and select DNS Service.
      2. Enter a name for the DNS service and select the DNS Profile created in Step 2.
      3. In DNS Service Role Bindings, click Add.
      4. Select the DNS Role, Listen and Forward from the drop-down.
      5. Select all relevant LAN interfaces that will receive and forward the requests and Enable the service.
      6. Click Save.
        The DNS service configuration is now enabled on the ION device and will answer DNS queries on the selected interfaces. After testing that the Prisma SD-WAN DNS service is configured per requirements, the DNS server IP addresses can be changed in the DHCP scope to the respective default gateway (ION LAN interfaces), the branch subnets, or specified manually on systems with static IP configuration.
        With the Prisma SD-WAN system deployed and the DNS service enabled, the branch systems utilizing SaaS services no longer rely on the centralized data center resources to function. In the event of a data center failure, none of the SaaS application services will be affected. This is due to all necessary functions delivered by the ION device through the DNS service and the ability to put trusted SaaS application traffic directly onto the internet with a scalable and straightforward path policy rule.

    © 2026 Palo Alto Networks, Inc. All rights reserved.