Use Case 3: Firewall Acts as DNS Proxy Between Client and
Server
In this use case, the firewall is located
between a DNS client and a DNS server. A DNS Proxy on the firewall
is configured to act as the DNS server for the hosts that reside
on the tenant’s network connected to the firewall interface. In
such a scenario, the firewall performs DNS resolution on its dataplane.
This scenario happens
to use split DNS, a configuration where DNS Proxy rules
are configured to redirect DNS requests to a set of DNS servers
based on a domain name match. If there is no match, the server profile
determines the DNS servers to which to send the request, hence the
two, split DNS resolution methods.
For dataplane DNS
resolutions, the source IP address from the DNS proxy in PAN-OS
to the outside DNS server would be the address of the proxy (the
destination IP of the original request). Any service routes defined
in the DNS Server Profile are not used. For example, if the request
is from host 172.16.1.1 to the DNS proxy at 192.168.1.1, then the
request to the DNS server (at 10.10.10.10) would use a source of
192.168.1.1 and a destination of 10.10.10.10.
Select NetworkDNS Proxy and click Add.
Click Enable and enter a Name for
the DNS Proxy.
For Location, select the virtual
system of the tenant, in this example, Corp1 Corporation (vsys6).
For Interface, select the interface
that will receive the DNS requests from the tenant’s hosts, in this
example, Ethernet1/20.
Choose or create a Server Profile to
customize DNS servers to resolve DNS requests for this tenant.
On the DNS Proxy Rules tab, Add a Name for
the rule.
(Optional) Select Turn on caching
of domains resolved by this mapping.
Add one or more Domain
Name(s), one entry per row. DNS
Proxy Rule and FQDN Matching describes how the firewall matches FQDNs
to domain names in a DNS proxy rule.
For DNS Server profile, select
a profile. The firewall compares the domain name in the DNS request
to the domain name(s) defined in the DNS Proxy Rules.
If there is a match, the DNS Server profile defined
in the rule is used to determine the DNS server.
In this example, if the domain in the request matches
myweb.corp1.com, the DNS server defined in the myweb DNS Server
Profile is used. If there is no match, the DNS server defined in the Server
Profile (Corp1 DNS Server Profile) is used.