1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access (Cloud Management)
    5. Service Infrastructure
    6. DNS and Prisma Access

    DNS and Prisma Access

    Enable Prisma Access to resolve both internal and public domains. You can choose to use Prisma Access DNS or let Prisma Access leverage your organization’s DNS setup.

    Set It Up—DNS and Prisma Access

    Here’s how to set up Prisma Access to resolve internal domains, and how to customize DNS settings (to resolve both internal and public domains) for mobile user deployments and remote network sites.
    • Enable Prisma Access to resolve your internal domains.
      Do this to provide access to services on your corporate network—like LDAP and DNS servers—especially if you plan to set up service connections to provide access to these type of resources at HQ or in data centers.
      DNS queries for domains in the Internal Domain List are sent to your local DNS servers to ensure that resources are available to Prisma Access remote network users and mobile users.
      This step shows you how to set up internal domain lists that apply to all traffic. Go to the next step to see how to create internal domain lists that apply only to specific mobile user deployments or remote network sites.
      1. Select
        Settings
        Prisma Access Setup
        Shared
         and
        Add Internal Domain List
        .
      2. Enter the Primary DNS server and Secondary DNS server that Prisma Access should use to resolve the internal domain names.
      3. Add the internal domain names to send to these DNS servers for resolution.
        You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.
    • Add DNS settings for specific mobile users deployments and remote network sites.
      1. Configure DNS settings:
        • Mobile Users
          —Go to
          Settings
          Prisma Access Setup
          Mobile Users
           and find
          Client DNS
          .
          (
          Optional
          ) Select
          Advanced RCODE Support
           under
          Advanced Settings
           to allow the primary DNS server to fail over to the secondary DNS server if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code is received. A DNS response code of SERVFAIL refers to a communication error with the primary DNS server, and a DNS response code of REFUSED means that the primary DNS server refused to provide the requested information. In both cases, the service fails over to the secondary DNS server.
        • Remote Networks
          —Go to
          Settings
          Prisma Access Setup
          Remote Networks
           and find
          DNS Proxy
          .
          (
          Optional
          ) Select
          Advanced RCODE Support
           to allow the primary DNS server to fail over to the secondary DNS server if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code is received.
      2. Use the Worldwide default (the Prisma Access default DNS server) or customize settings based on region. In either case, select the region to adjust and customize the DNS settings for that region.
      3. Check the option to
        use these DNS settings to resolve internal domains
         and optionally
        Use the internal DNS Server for resolving public domains too
        . If you don’t select this option, Prisma Access uses its cloud default DNS server to resolve requests for public domains.
      4. Allow traffic from all addresses in your mobile user IP address pool to-your DNS servers.
        The DNS proxy in Prisma Access sends the requests to the DNS servers you specify. The source address in the DNS request is the first IP address in the IP pool you assign to the region. To ensure that your DNS requests can reach the servers you will need to make sure that you allow traffic from all addresses in your mobile user IP address pool to your DNS servers.

    How It Works — DNS and Prisma Access

    Prisma Access provides you with different ways to resolve DNS queries for mobile users and remote networks. Continue here to learn more about:

    DNS Resolution for Prisma Access

    Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. Prisma Access proxies the DNS request based on the configuration of your DNS servers. The following table shows the supported DNS resolution methods for internal and external domains and indicates when Prisma Access proxies the DNS requests.
    Internal DNS Resolution Method
    External DNS Resolution Method
    Prisma Access Proxies the DNS Request (Yes/No)
    Single rule, DNS server configured for Internal Domains
    Cloud Default
    Yes
    Single rule, DNS server configured for Internal Domains
    Same as Internal Domains
    No
    Single rule, DNS server configured for Internal Domains
    Custom DNS server
    Yes
    Single rule, Cloud Default set for a domain
    Cloud Default
    Yes
    Single rule, Cloud Default set for a domain
    Same as Internal Domains
    Yes
    Single rule, Cloud Default set for domain
    Custom DNS server
    Yes
    Multiple rules, DNS server configured for Internal Domains
    Cloud Default
    Yes
    Multiple rules, DNS server configured for Internal Domains
    Same as Internal Domains
    Yes
    Multiple rules, DNS server configured for Internal Domains
    Custom DNS server
    Yes
    No configuration
    Custom DNS Server
    Yes
    No configuration
    Cloud Default
    No
    No configuration
    No configuration
    No
    No DNS resolution specified (default configuration is present, which uses Cloud Default)
    No DNS resolution specified
    No
    The source IP address of the DNS request depends on whether or not Prisma Access proxies the DNS request.
    • When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request changes to the IP address of the device that requested the DNS lookup. This source IP address allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains. This behavior applies for both mobile users and remote network deployments.
    • When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to the following addresses:
      • Mobile User deployments
        —The source IP address of the DNS request is an IP address taken from the mobile user IP address pool for internal requests and the mobile user location’s gateway IP address for external requests.
      • Remote Network deployments
        —The source IP address of the DNS request is the EBGP Router Address for internal requests and the Service IP address of the remote network connection for external requests.
    The following guidelines and restrictions apply to using DNS resolution with Prisma Access:
    • The maximum number of concurrent pending TCP DNS requests (
      Max Pending Requests
      ) that Prisma Access supports is 64.
    • For UDP queries, the DNS proxy sends another request if it hasn’t received a response in 2 seconds, and retries a maximum of 5 times before trying the next DNS server.
    • Prisma Access caches the DNS entries with a time-to-live (TTL) value of 300 seconds. EDNS responses are also cached.

    DNS Resolution for Mobile Users

    Here’s how Prisma Access processes the source IP address of the DNS requests after you configure DNS resolution.
    The following figure show a deployment where you have assigned an internal DNS server to resolve both internal and external domains. In this case, Prisma Access does not proxy the DNS requests, and the DNS request is from Mobile User 1’s GlobalProtect client IP address. The GlobalProtect client assigns this IP address to the mobile user and it is taken from the Mobile User IP address pool.
    The following figure shows the DNS requests for internal domains being resolved by the DNS server in the headquarters or data center location, while requests for external domains are resolved by Prisma Access’ Cloud Default DNS server. In this case, Prisma Access proxies the requests for the external request, and the source IP address is the mobile user location’s gateway IP address (15.1.1.1 in this example), while the internal source IP remains as Mobile User 1’s GlobalProtect client IP address.
    The following figure shows the organization using a third-party or public DNS server accessible through the internet for requests to external domains. Prisma Access proxies these requests as well.

    DNS Resolution for Remote Networks

    The following figure shows a DNS request to a deployment where an internal DNS server is used to process requests for both internal and external domains. The remote network IP address is 35.1.1.1 and the
    EBGP Router
     IP address is 172.1.1.1. In this case, Prisma Access does not proxy the requests and, if the internal DNS server does not use NAT, the source IP of the DNS request is 10.1.1.1 (the IP address of Client 1’s device in the remote network site).
    If Prisma Access proxies the DNS request, the source IP addresses of the proxied DNS requests changes to the
    EBGP Router Address
     for internal requests and the Service IP Address of the remote network connection for external requests, as shown in the following figure.
    When you configure the DNS address in your network to use for Prisma Access proxied external requests, specify the
    Remote Network DNS Proxy IP Address
     (
    Panorama
    Cloud Services
    Status
    Service Infrastructure
    Remote Network DNS Proxy IP Address
    ). In the following example, you would specify 172.1.255.254 in your network for the DNS server.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo