Configure the DNS Service on the Prisma SD-WAN Interface
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
Configure the DNS Service on the Prisma SD-WAN Interface
Configure DNS Roles and Profiles from the Prisma SD-WAN. DNS Service
provides a rich suite of Domain Name System Services directly to branch users and
devices.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Domain Name System (DNS) is a protocol that translates (resolves) a
user-friendly domain name to an IP address so that users can access computers,
websites, services, or other resources on the internet or private networks.
Create and configure both DNS Service Roles and DNS Service Profiles
from the Prisma SD-WAN web interface. After the DNS roles and
profiles are created, enable the DNS service on the branch ION device.
Locally significant configuration and attributes are specified at the device-level
DNS service configuration, effectively augmenting or, in some cases overriding the
configuration specified in the DNS Service Profile.
DNS Service Roles is used to group interfaces
that have common functions. Some interfaces listen for DNS requests, while others
only forward DNS requests. In some cases, interfaces listen and forward DNS
requests. After you assign a role to a specific DNS server's IP address in a global
DNS service profile, the role gets assigned at the device level.
DNS
Service Profiles is used to specify configuration
parameters for the DNS service. Commonly configured parameters include DNS Servers,
Domain to Address Mapping, Cache Configuration, and DNSSEC Configuration. After the
DNS service profile is created, it is bound to a device. The following topics
describe how to configure the DNS Service on the Prisma SD-WAN web
interface and the ION device.
Configure DNS Roles
The Prisma SD-WAN DNS Service provides a rich suite
of Domain Name System Services directly to branch users and devices. The DNS
service responds to DNS queries from a local cache, or forwards queries to
upstream DNS servers. It retains the host details to ensure that local host
names do not appear in the global DNS. The Prisma SD-WAN DNS
service acts as a caching or authoritative server on devices in an assigned
state for a branch site.
To access the DNS service, administrators must have support, super, network
admin, security admin, and view only permissions. Navigate to the DNS service
from the Prisma SD-WAN web interface.
- Select ManageResourcesConfiguration ProfilesDNSDNS Service Roles and click Create DNS Role.Enter the Name, (Optional) Description, and (Optional) Tags for the DNS Service role.Click Save.The DNS Role screen displays the name of the DNS service, the number of DNS services, and DNS profiles using this role.
Configure DNS Profiles
Create a DNS Profile from the Prisma SD-WAN web interface. - Select ManageResourcesConfiguration ProfilesDNSDNS Service Roles and click Create DNS Profile.Enter Basic information for the profile, select to retain strict domain names and DNS loop detection, and add a DNS server.
- Enter the Name, (Optional) Description, and (Optional) Tags for the DNS service profile.Select to Enable strict domain name and to Enable DNS loop detection.(Optional) Enter the Max EDNS Packets size.The default size is 4096.(Optional) Choose a Listen DNS Role from the drop-down and enter the Listen Port number.The default value is 53. The optional value must be between 1 to 65535.Roles created as part of the DNS service are listed in the Listen DNS Role field.(Optional) Select the option Send to all DNS Servers.Add a DNS server, by specifying the DNS Server IP and (Optional) DNS Server Port.Select either IP Prefix or Domain and enter the required information.Configuring the IP Prefix forwards PTR (reverse lookups) for the specified subnet to the DNS server.Configuring the Domain Name option forwards name resolution request for the specified domain(s) to the DNS server.(Optional) Choose a Forward DNS Role from the drop-down and enter the Source Port.Roles created as part of the DNS service are listed in the Forward DNS Role field.Map Domain to Address to enable you to specify DNS responses with the configured mapping.The Domain to Address mapping and the IP address must be unique.
- Click Add to add a domain address.Specify the Domain Name and the IP Prefix.Specify the Queries and Responses parameters to append the client metadata to the DNS query as it is sent to the upstream DNS server.DNS responses can also be overridden or can block specific responses entirely.
- Select Add a Client and specify the Mac Encoding Format.Enter a Custom Text and an Identifier, or choose the Element ID/Element from the drop-down.Add a new Subnet by entering the (Optional) IP Address and the Prefix Length.Select to Disable private IP lookups.If required, enter Max TTL and Local TTL values in seconds.(Optional) Enter IP addresses that can be identified as Bogus NX Domains and Ignore IP Addresses.Create new Aliases by replacing the IP address.This can be done by either choosing to replace the Original IP Prefix or retaining the Original IP Range by entering the original start IP and original end IP.Specify the Cache and DNSSec proxy configurations.
- Select to Disable Negative Caching option.If required, include values in seconds for Min Cache TTL, Max Cache TTL, Cache Size, and Negative Cache TTL.Select to Stop dns rebind for private ip and to Enable localhost rebind.(Optional) Enter the names of the Rebind Domains.Select to enable the DNSSEC Proxy and DNSSEC Config options.Enter information on Class, Domain, Key Tag, and Algorithm to Add a new Trust Anchor.Add a record by entering basic information in Authoritative Config or enter secondary server details.
- (Optional) Enter Secondary Server details, Peers, and TTL value in seconds.To Add a record, enter the Name (record names are listed in the drop-down), Flags, Tag, and Value.Complete all configuration requirements and Submit.
Configure DNS Service on the ION Device
After you configure the DNS Service Roles and DNS Service Profiles, enable the DNS Service at the device-level. Only a single instance is allowed per ION device. You can map a DNS Service Profile to a DNS Service, assign interfaces to the DNS service role mappings, and specify device-specific attributes. The DNS service can be enabled or disabled as required. To configure the DNS service on the ION device:- Select WorkflowsDevicesClaimed DevicesSelect the deviceConfigure the deviceDNS Service. The ION devices on version 6.2.1 and later support IPv6 servers.Configure the Service Info tab.
- Enable the DNS service to ensure that the DNS profile selected is not optional. Once the DNS service is enabled, it would be activated for both IPv4 and IPv6 addresses.Enter a Name, (Optional) Description, and include (Optional) Tags for the DNS Service.Select to maintain strict domain name and enable DNS loop detection options.Select a DNS Profile from the drop-down.These will include profiles that are created at the user interface level.(Optional) Include values for Max Concurrent DNS Queries and the Cache Size.The default value is 150.Click Add to bind a role to the DNS Service.In the Add New Record dialog, choose the DNS Role, select the Interface or enter the Interface IP. The ION devices on version 6.2.1 and later support IPv6 servers.Configure the Queries Metadata tab.
- (Optional) Configure the metadata under Customer Premises Equipment.If the entered values differ from the DNS Service Profile, the DNS Service values is considered.In the Add New Record dialog, enter the (Optional) IP Address and the Prefix Length.This option is configured at both the user interface level and the device level.Configure the Domain Mapping tab.
- (Optional) Add the domain names to the configured IP address and the configured interfaces.If the entered values differ from the DNS Service Profile, the DNS Service values is considered.In the Domain to Interface section, click Add to enter the Domain Names and choose an Interface from the drop-down.Complete all configuration requirements and Submit.