Shows the possible configurations you can use for Prisma
Access to resolve DNS queries for mobile users and remote networks.
Prisma Access allows you to specify DNS servers
to resolve both domains that are internal to your organization and
external domains. Prisma Access proxies the DNS request based on
the configuration of your DNS servers. The following table shows
the supported DNS resolution methods for internal and external domains
and indicates when Prisma Access proxies the DNS requests.
Internal DNS Resolution Method | External DNS Resolution Method | Prisma Access Proxies the DNS Request (Yes/No) |
Single rule, DNS server configured for Internal
Domains | Cloud Default | Yes |
Single rule, DNS server configured for Internal
Domains | Same as Internal Domains | No |
Single rule, DNS server configured for Internal
Domains | Custom DNS server | Yes |
Single rule, Cloud Default set for a domain | Cloud Default | Yes |
Single rule, Cloud Default set for a domain | Same as Internal Domains | Yes |
Single rule, Cloud Default set for domain | Custom DNS server | Yes |
Multiple rules, DNS server configured for Internal
Domains | Cloud Default | Yes |
Multiple rules, DNS server configured for Internal
Domains | Same as Internal Domains | Yes |
Multiple rules, DNS server configured for Internal
Domains | Custom DNS server | Yes |
No configuration | Custom DNS Server | Yes |
No configuration | Cloud Default | No |
No configuration | No configuration | No |
No DNS resolution specified (default configuration
is present, which uses Cloud Default) | No DNS resolution specified | No |
The source IP address of the DNS request depends
on whether or not Prisma Access proxies the DNS request.
When
Prisma Access does not proxy the DNS requests, the source IP address
of the DNS request changes to the IP address of the device that
requested the DNS lookup. This source IP address allows you to enforce
source IP address-based DNS policies or identify endpoints that communicate
with malicious domains. This behavior applies for both mobile users
and remote network deployments.
When Prisma Access proxies the DNS requests, the source IP
address of the DNS request changes to the following addresses:
Remote Network deployments—The source IP address of
the DNS request is the
EBGP Router Address for
internal requests and the
Service IP Address of
the remote network connection for external requests.
The
following guidelines and restrictions apply to using DNS resolution
with Prisma Access:
The maximum number of concurrent
pending TCP DNS requests ( Max Pending Requests)
that Prisma Access supports is 64.
For UDP queries, the DNS proxy sends another request if it
hasn’t received a response in 2 seconds, and retries a maximum of
5 times before trying the next DNS server.
Prisma Access caches the DNS entries with a time-to-live
(TTL) value of 300 seconds. EDNS responses are also cached.