DNS Resolution for Mobile Users and Remote Networks
Shows the possible configurations you can use for Prisma
Access to resolve DNS queries for mobile users and remote networks.
Prisma Access provides you with different
ways to resolve DNS queries for mobile users and remote networks.
The following sections describe the different types of DNS resolution
that Prisma Access supports for mobile users and remote networks,
along with the steps you use to configure it.
DNS Resolution for Prisma Access
Prisma Access allows you to specify DNS servers
to resolve both domains that are internal to your organization and
external domains. Prisma Access proxies the DNS request based on
the configuration of your DNS servers. The following table shows
the supported DNS resolution methods for internal and external domains
and indicates when Prisma Access proxies the DNS requests.
Internal DNS Resolution Method | External DNS Resolution Method | Prisma Access Proxies the DNS Request (Yes/No) |
|---|---|---|
Single rule, DNS server configured for Internal
Domains | Cloud Default | Yes |
Single rule, DNS server configured for Internal
Domains | Same as Internal Domains | No |
Single rule, DNS server configured for Internal
Domains | Custom DNS server | Yes |
Single rule, Cloud Default set for a domain | Cloud Default | Yes |
Single rule, Cloud Default set for a domain | Same as Internal Domains | Yes |
Single rule, Cloud Default set for domain | Custom DNS server | Yes |
Multiple rules, DNS server configured for Internal
Domains | Cloud Default | Yes |
Multiple rules, DNS server configured for Internal
Domains | Same as Internal Domains | Yes |
Multiple rules, DNS server configured for Internal
Domains | Custom DNS server | Yes |
No configuration | Cloud Default | No |
No configuration | Custom DNS Server | No |
No configuration | No configuration | No |
No DNS resolution specified (default configuration
is present, which uses Cloud Default) | No DNS resolution specified | No |
The source IP address of the DNS request depends
on whether or not Prisma Access proxies the DNS request.
- When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request changes to the IP address of the device that requested the DNS lookup. This source IP address allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains. This behavior applies for both mobile users and remote network deployments.
- When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to the following addresses:
- Mobile User deployments—The source IP address of the DNS request is an IP address taken from the mobile user IP address pool for internal requests and the mobile user location’s gateway IP address for external requests.
- Remote Network deployments—The source IP address of the DNS request is theEBGP Router Addressfor internal requests and the Service IP Address of the remote network connection for external requests.
The
following guidelines and restrictions apply to using DNS resolution
with Prisma Access:
- The maximum number of concurrent pending TCP DNS requests (Max Pending Requests) that Prisma Access supports is 64.
- For UDP queries, the DNS proxy sends another request if it hasn’t received a response in 2 seconds, and retries a maximum of 5 times before trying the next DNS server.
- Prisma Access caches the DNS entries with a time-to-live (TTL) value of 300 seconds. EDNS responses are also cached.
DNS Resolution for Mobile Users
The following section provides examples of
how Prisma Access processes the source IP address of the DNS requests
after you configure DNS resolution for mobile users and for remote networks.
The
following figure show a deployment where you have assigned an internal DNS
server to resolve both internal and external domains. In this case,
Prisma Access does not proxy the DNS requests, and the DNS server
sees the request coming from 10.10.10.1 (the IP address of Mobile
User 1’s device).
The
following figure shows the DNS requests for internal domains being resolved
by the DNS server in the headquarters or data center location, while requests
for external domains are resolved by Prisma Access’ Cloud Default
DNS server. In this case, Prisma Access proxies the requests, and
the source IP address of the DNS request changes to an IP address
from the mobile user IP address pool (172.16.55.0/24)
for internal requests and to the mobile user location’s
gateway IP address (15.1.1.1 in this example) for external requests.
The
following figure shows the organization using a third-party or public
DNS server accessible through the internet for requests to external
domains. Prisma Access proxies these requests as well, and the source
IP address changes to an IP address from the mobile user IP address
pool (172.16.55.0/24) for internal requests and to 15.1.1.1 for
external requests.
DNS Resolution for Remote Networks
If you have an existing remote network deployment,
you can continue to use the DNS resolution methods that you already
have in place, or you can use Prisma Access to proxy the DNS request.
Proxying the DNS requests allows you to send DNS requests for public
domains to one server and send DNS request for internal domains
to another server.
The following figure shows a DNS request
to a deployment where an internal DNS server is used to process
requests for both internal and external domains. The remote network IP address is
35.1.1.1 and the
EBGP Router
IP address is
172.1.1.1. In this case, Prisma Access does not proxy the requests
and, if the internal DNS server does not use NAT, the source IP of
the DNS request is 10.1.1.1 (the IP address of Client 1’s device
in the remote network site).
If
Prisma Access proxies the DNS request, the source IP addresses of
the proxied DNS requests changes to the
EBGP Router Address
for
internal requests and the Service IP Address of
the remote network connection for external requests, as shown in
the following figure.When you configure the DNS address
in your network to use for Prisma Access proxied external requests,
specify the
Remote Network DNS Proxy IP Address
().
In the following example, you would specify 172.1.255.254 in your
network for the DNS server.
