: Configure the DNS Service on the Prisma SD-WAN Interface
Focus
Focus

Configure the DNS Service on the Prisma SD-WAN Interface

Table of Contents

Configure the DNS Service on the
Prisma SD-WAN
Interface

Configure DNS Roles and Profiles from the
Prisma SD-WAN
. DNS Service provides a rich suite of Domain Name System Services directly to branch users and devices.
Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name to an IP address so that users can access computers, websites, services, or other resources on the internet or private networks.
Create and configure both DNS Service Roles and DNS Service Profiles from the
Prisma SD-WAN
web interface. After the DNS roles and profiles are created, enable the DNS service on the branch ION device.
Locally significant configuration and attributes are specified at the device-level DNS service configuration, effectively augmenting or, in some cases overriding the configuration specified in the DNS Service Profile.
DNS Service Roles
is used to group interfaces that have common functions. Some interfaces listen for DNS requests, while others only forward DNS requests. In some cases, interfaces listen and forward DNS requests. After you assign a role to a specific DNS server's IP address in a global DNS service profile, the role gets assigned at the device level.
DNS Service Profiles
is used to specify configuration parameters for the DNS service. Commonly configured parameters include DNS Servers, Domain to Address Mapping, Cache Configuration, and DNSSEC Configuration. After the DNS service profile is created, it is bound to a device. The following topics describe how to configure the DNS Service on the
Prisma SD-WAN
web interface and the ION device.

Configure DNS Roles

The
Prisma SD-WAN
DNS Service provides a rich suite of Domain Name System Services directly to branch users and devices. The DNS service responds to DNS queries from a local cache, or forwards queries to upstream DNS servers. It retains the host details to ensure that local host names do not appear in the global DNS. The
Prisma SD-WAN
DNS service acts as a caching or authoritative server on devices in an assigned state for a branch site.
To access the DNS service, administrators must have support, super, network admin, security admin, and view only permissions. Navigate to the DNS service from the
Prisma SD-WAN
web interface.
  1. Select
    Manage
    Resources
    Configuration Profiles
    DNS
    DNS Service Roles
    and click
    Create DNS Role
    .
  2. Enter the
    Name
    ,
    (Optional)
    Description
    , and
    (Optional)
    Tags
    for the DNS Service role.
  3. Click
    Save
    .
    The DNS Role screen displays the name of the DNS service, the number of DNS services, and DNS profiles using this role.

Configure DNS Profiles

Create a
DNS Profile
from the
Prisma SD-WAN
web interface.
  1. Select
    Manage
    Resources
    Configuration Profiles
    DNS
    DNS Service Roles
    and click
    Create DNS Profile
    .
  2. Enter
    Basic
    information for the profile, select to retain strict domain names and DNS loop detection, and add a DNS server.
    1. Enter the
      Name
      ,
      (Optional)
      Description
      , and
      (Optional)
      Tags
      for the DNS service profile.
    2. Select to
      Enable strict domain name
      and to
      Enable DNS loop detection.
    3. (Optional)
      Enter the
      Max EDNS Packets
      size.
      The default size is 4096.
    4. (Optional)
      Choose a
      Listen DNS Role
      from the drop-down and enter the
      Listen Port
      number.
      The default value is 53. The optional value must be between 1 to 65535.
      Roles created as part of the DNS service are listed in the
      Listen DNS Role
      field.
    5. (Optional)
      Select the option
      Send to all DNS Servers
      .
    6. Add a DNS server, by specifying the
      DNS Server IP
      and
      (Optional)
      DNS Server Port
      .
    7. Select either IP Prefix or Domain and enter the required information.
      Configuring the
      IP Prefix
      forwards PTR (reverse lookups) for the specified subnet to the DNS server.
      Configuring the
      Domain Name
      option forwards name resolution request for the specified domain(s) to the DNS server.
    8. (Optional)
      Choose a
      Forward DNS Role
      from the drop-down and enter the
      Source Port
      .
      Roles created as part of the DNS service are listed in the
      Forward DNS Role
      field.
  3. Map
    Domain to Address
    to enable you to specify DNS responses with the configured mapping.
    The
    Domain to Address
    mapping and the IP address must be unique.
    1. Click
      Add
      to add a domain address.
    2. Specify the
      Domain Name
      and the
      IP Prefix
      .
  4. Specify the
    Queries and Responses
    parameters to append the client metadata to the DNS query as it is sent to the upstream DNS server.
    DNS responses can also be overridden or can block specific responses entirely.
    1. Select
      Add a Client
      and specify the
      Mac Encoding Format
      .
    2. Enter a
      Custom Text
      and an
      Identifier
      , or choose the
      Element ID/Element
      from the drop-down.
    3. Add a new
      Subnet
      by entering the
      (Optional)
      IP Address
      and the
      Prefix Length
      .
    4. Select to
      Disable private IP lookups
      .
      If required, enter
      Max TTL
      and
      Local TTL
      values in seconds.
    5. (Optional)
      Enter IP addresses that can be identified as
      Bogus NX Domains
      and
      Ignore IP Addresses
      .
    6. Create new
      Aliases
      by replacing the IP address.
      This can be done by either choosing to replace the
      Original IP Prefix
      or retaining the
      Original IP Range
      by entering the original start IP and original end IP.
  5. Specify the
    Cache and DNSSec proxy
    configurations.
    1. Select to
      Disable Negative Caching
      option.
      If required, include values in seconds for
      Min Cache TTL
      ,
      Max Cache TTL
      ,
      Cache Size
      , and
      Negative Cache TTL
      .
    2. Select to
      Stop dns rebind for private ip
      and to
      Enable localhost rebind
      .
    3. (Optional)
      Enter the names of the
      Rebind Domains
      .
    4. Select to enable the
      DNSSEC Proxy and
      DNSSEC Config
      options.
    5. Enter information on
      Class
      ,
      Domain
      ,
      Key Tag
      , and
      Algorithm
      to
      Add
      a new
      Trust Anchor
      .
  6. Add a record by entering basic information in
    Authoritative Config
    or enter secondary server details.
    1. (Optional)
      Enter
      Secondary Server
      details,
      Peers
      , and
      TTL value
      in seconds.
    2. To
      Add
      a record, enter the
      Name
      (record names are listed in the drop-down),
      Flags
      ,
      Tag
      , and
      Value
      .
  7. Complete all configuration requirements and
    Submit
    .

Configure DNS Service on the ION Device

After you configure the DNS Service Roles and DNS Service Profiles, enable the DNS Service at the device-level. Only a single instance is allowed per ION device. You can map a DNS Service Profile to a DNS Service, assign interfaces to the DNS service role mappings, and specify device-specific attributes. The DNS service can be enabled or disabled as required. To configure the DNS service on the ION device:
  1. Select
    Workflows
    Devices
    Claimed Devices
    Select the device
    Configure the device
    DNS Service
    .
    The ION devices on version 6.2.1 and later support IPv6 servers.
  2. Configure the
    Service Info
    tab.
    1. Enable the DNS service to ensure that the DNS profile selected is not optional.
      Once the DNS service is enabled, it would be activated for both IPv4 and IPv6 addresses.
    2. Enter a Name,
      (Optional)
      Description
      , and include
      (Optional)
      Tags
      for the DNS Service.
    3. Select to maintain strict domain name and enable DNS loop detection options.
    4. Select a DNS Profile from the drop-down.
      These will include profiles that are created at the user interface level.
    5. (Optional)
      Include values for
      Max Concurrent DNS Queries
      and the
      Cache Size
      .
      The default value is 150.
    6. Click
      Add
      to bind a role to the DNS Service.
    7. In the
      Add New Record
      dialog, choose the DNS Role, select the
      Interface
      or enter the
      Interface IP
      .
      The ION devices on version 6.2.1 and later support IPv6 servers.
  3. Configure the
    Queries Metadata
    tab.
    1. (Optional)
      Configure the metadata under
      Customer Premises Equipment
      .
      If the entered values differ from the DNS Service Profile, the DNS Service values is considered.
    2. In the
      Add New Record
      dialog, enter the
      (Optional)
      IP Address
      and the
      Prefix Length
      .
      This option is configured at both the user interface level and the device level.
  4. Configure the
    Domain Mapping
    tab.
    1. (Optional)
      Add the domain names to the configured IP address and the configured interfaces.
      If the entered values differ from the DNS Service Profile, the DNS Service values is considered.
    2. In the
      Domain to Interface
      section, click
      Add
      to enter the Domain Names and choose an
      Interface
      from the drop-down.
  5. Complete all configuration requirements and
    Submit
    .