DNS Resolution for Mobile Users and Remote Networks

Shows the possible configurations you can use for Prisma Access to resolve DNS queries for mobile users and remote networks.
Prisma Access provides you with different ways to resolve DNS queries for mobile users and remote networks. The following sections describe the different types of DNS resolution that Prisma Access supports for mobile users and remote networks, along with the steps you use to configure it.

DNS Resolution for Prisma Access

Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. Prisma Access proxies the DNS request based on the configuration of your DNS servers. The following table shows the supported DNS resolution methods for internal and external domains and indicates when Prisma Access proxies the DNS requests.
Internal DNS Resolution Method
External DNS Resolution Method
Prisma Access Proxies the DNS Request (Yes/No)
Customer’s DNS server (same server used for the external DNS resolution)
Customer’s DNS server
No
To disable the proxy, you must specify the same server to resolve external domains as the one that you use to resolve internal domains by selecting
Same as Internal Domains
during mobile user or remote network onboarding.
Customer’s DNS server
Prisma Access Cloud Default
Yes
Customer’s DNS server
Third-party or public DNS server
Yes
No DNS resolution specified (default configuration is present, which uses Cloud Default)
No DNS resolution specified
No
The source IP address of the DNS request depends on whether or not Prisma Access proxies the DNS request.
  • When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request changes to the IP address of the device that requested the DNS lookup. This source IP address allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains. This behavior applies for both mobile users and remote network deployments.
  • When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to the following addresses:

DNS Resolution for Mobile Users

The following section provides examples of how Prisma Access processes the source IP address of the DNS requests after you configure DNS resolution for mobile users and for remote networks.
The following figure show a deployment where you have assigned an internal DNS server to resolve both internal and external domains. In this case, Prisma Access does not proxy the DNS requests, and the DNS server sees the request coming from 10.10.10.1 (the IP address of Mobile User 1’s device).
dns-resolution-mobile-user-internal.png
The following figure shows the DNS requests for internal domains being resolved by the DNS server in the headquarters or data center location, while requests for external domains are resolved by Prisma Access’ Cloud Default DNS server. In this case, Prisma Access proxies the requests, and the source IP address of the DNS request changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for internal requests and to the mobile user location’s gateway IP address (15.1.1.1 in this example) for external requests.
dns-resolution-mobile-users-cloud-default.png
The following figure shows the organization using a third-party or public DNS server accessible through the internet for requests to external domains. Prisma Access proxies these requests as well, and the source IP address changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for internal requests and to 15.1.1.1 for external requests.
dns-resolution-mobile-user-3rd-party-dns.png

DNS Resolution for Remote Networks

If you have an existing remote network deployment, you can continue to use the DNS resolution methods that you already have in place, or you can use Prisma Access to proxy the DNS request. Proxying the DNS requests allows you to send DNS requests for public domains to one server and send DNS request for internal domains to another server.
The following figure shows a DNS request to a deployment where an internal DNS server is used to process requests for both internal and external domains. The remote network IP address is 35.1.1.1 and the
EBGP Router
IP address is 172.1.1.1. In this case, Prisma Access does not proxy the requests and, if the internal DNS server does not use NAT, the source IP of the DNS request is 10.1.1.1 (the IP address of Client 1’s device in the remote network site).
dns-resolution-internal-both.png
If Prisma Access proxies the DNS request, the source IP addresses of the proxied DNS requests changes to the
EBGP Router Address
for internal requests and the Service IP Address of the remote network connection for external requests, as shown in the following figure.
When you configure the DNS address in your network to use for Prisma Access proxied external requests, specify the
Remote Network DNS Proxy IP Address
(
Panorama
Cloud Services
Status
Service Infrastructure
Remote Network DNS Proxy IP Address
). In the following example, you would specify 172.1.255.254 in your network for the DNS server.
dns-resolution-3rd-party-dns.png

Recommended For You