Paloalto Configure firewall for proxy DNS

From Notes_Wiki

Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Configure firewall for proxy DNS

Palo Alto Networks firewalls can act as DNS servers for local users. By configuring DNS Proxy on the firewall, you can intercept DNS requests from internal clients and forward them to external DNS servers or resolve them locally.

Configure DNS proxy via setup and service route configuration

To check the DNS settings on a Palo Alto firewall, you can follow these steps:

  1. Log in to the Palo Alto Networks web interface (PAN-OS).
  2. Navigate to the "Device" tab in the top menu.
  3. Click on "Setup" in the left-hand menu.
  4. Under the "Services" section, click on "Service Route Configuration."
  5. In the "DNS Proxy" section, you will find the DNS settings configured on the firewall.


Configuring a new DNS Proxy

In a new firewall create a new DNS proxy with appropriate primary and secondary DNS IPs, while giving LAN interface on the right as proxy interface (Interface where firewall should listen for DNS requests to proxy). Overall the DNS Proxy configuration includes the following settings:

Enable/Disable
You can enable or disable the DNS Proxy functionality.
Primary DNS Server
This is the IP address of the primary DNS server to which DNS requests will be forwarded.
Secondary DNS Server
This is the IP address of the secondary DNS server to which DNS requests will be forwarded if the primary server is unreachable.
DNS Cache Timeout
This is the duration for which DNS entries are cached on the firewall.

Commit the changes once done. Then validate using 

 nslookup www.google.co.in <firewall-interface-ip>

whether we are getting DNS reply from firewall or not.


Later on we can anytime see created DNS proxy under Network->DNS Proxy

Note:

  • Only one DNS proxy can work at a time. Hence we need to add all interfaces where we need DNS proxy to a single DNS proxy instance.


Ensure there is security ACL to allow communication with primary/secondary DNS

After this we must create a LAN-WAN rule with source any and destination of primary/secondary DNS specified above with no security rules associated. Without this the firewall may suddenly stop DNS queries due to some AV signature.


CLI access to dns-proxy

We can use DNS via command-line or look at its cache via: 

test dns-proxy query name DNS-Proxy1 domain-name www.google.co.in
show dns-proxy cache all


Cloudflare family DNS

Consider using:

  • 1.1.1.3
  • 1.0.0.3

as upstream DNS in the firewall. See https://blog.cloudflare.com/introducing-1-1-1-1-for-families/



Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Configure firewall for proxy DNS

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Paloalto_Configure_firewall_for_proxy_DNS&oldid=8025"