DNS Survivability

Prisma SD-WAN DNS Survivability Use Case
In the modern branch, most systems rely heavily on SaaS solutions for most day to day tasks. These include productivity tools such as Office 365, credit card processing systems such as Square, and POS (point-of-sale) systems such as Aloha; all delivered from the public internet. Besides DNS resolution, these systems have no dependency on private networks.
Using the Prisma SD-WAN DNS service, the system can be configured to use public internet DNS systems by default while sending internal domain name resolution requests to private DNS servers in the network. The majority of site services remain active and functional if the branch is unable to connect with the centralized, private DNS servers.

DNS and Trusted SaaS App Traffic Flow before Prisma SD-WAN

When the branch PC sends a DNS resolution request to the DNS server located in the central data center, the data center DNS server receives the request and responds, if known or cached. Else, forwards the request to the upstream DNS server.
The branch PC receives the DNS response with the IP address information for the trusted SaaS application. The connection request is sent to the destination server. The data center firewall receives the inbound connection request from the WAN edge MPLS router and forwards it to the internet.
The SaaS service receives the TCP connection request and sends an acknowledgment back to the data center firewall. The branch PC receives the TCP connection acknowledgment.

DNS and Trusted SaaS App Traffic Flow After Prisma SD-WAN

When the branch PC sends the DNS resolution request to the local branch ION, configured as the primary DNS server, the ION DNS service receives the request and responds if the domain record is cached. Else, it forwards the request to the upstream DNS server based on the configuration. The internet DNS server receives the request and responds to the branch ION. The branch ION forwards the response to the branch PC.
The branch PC receives the DNS response with the IP address information for the trusted SaaS application, and the connection request is sent to the destination server. The branch ION receives a connection request for the trusted SaaS application and sends it directly onto the internet path per policy.
The SaaS service receives the TCP connection request and sends an acknowledgment back to the branch ION. The branch PC receives the TCP connection acknowledgment.

Recommended For You