DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments
Focus
Focus

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

Table of Contents

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

Shows the possible configurations you can use for Prisma Access to resolve DNS queries for mobile users and remote networks.
Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. Prisma Access proxies the DNS request based on the configuration of your DNS servers. The following table shows the supported DNS resolution methods for internal and external domains and indicates when Prisma Access proxies the DNS requests.
Internal DNS Resolution MethodExternal DNS Resolution MethodPrisma Access Proxies the DNS Request (Yes/No)
Single rule, DNS server configured for Internal DomainsCloud DefaultYes
Single rule, DNS server configured for Internal DomainsSame as Internal DomainsNo
Single rule, DNS server configured for Internal DomainsCustom DNS serverYes
Single rule, Cloud Default set for a domainCloud DefaultYes
Single rule, Cloud Default set for a domainSame as Internal DomainsYes
Single rule, Cloud Default set for domainCustom DNS serverYes
Multiple rules, DNS server configured for Internal DomainsCloud DefaultYes
Multiple rules, DNS server configured for Internal DomainsSame as Internal DomainsYes
Multiple rules, DNS server configured for Internal DomainsCustom DNS serverYes
No configurationCustom DNS ServerYes
No configurationCloud DefaultNo
No configurationNo configuration No
No DNS resolution specified (default configuration is present, which uses Cloud Default)No DNS resolution specifiedNo
The source IP address of the DNS request depends on whether or not Prisma Access proxies the DNS request.
  • When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request changes to the IP address of the device that requested the DNS lookup. This source IP address allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains. This behavior applies for both mobile users and remote network deployments.
  • When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to the following addresses:
The following guidelines and restrictions apply to using DNS resolution with Prisma Access:
  • The maximum number of concurrent pending TCP DNS requests ( Max Pending Requests) that Prisma Access supports is 64.
  • For UDP queries, the DNS proxy sends another request if it hasn’t received a response in 2 seconds, and retries a maximum of 5 times before trying the next DNS server.
  • Prisma Access caches the DNS entries with a time-to-live (TTL) value of 300 seconds. EDNS responses are also cached.