Focus

Destination NAT with DNS Rewrite Use Cases

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Destination NAT

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Use Cases

The destination NAT topology with a DNS Server and the DNS response determine how you configure DNS Rewrite (in the reverse or forward direction).

When you use destination NAT to perform a static translation from one IPv4 address to a different IPv4 address, you may also be using DNS services on one side of the firewall to resolve FQDNs for a client. When the DNS response containing the IP address traverses the firewall to go to the client, the firewall doesn’t perform NAT on that IP address, so the DNS server provides an internal IP address to an external device, or vice versa, resulting in the DNS client being unable to connect to the destination service.

To avoid that problem, you can configure the firewall to rewrite the IP address in the DNS response (from the A Record) based on the translated IP address configured for the NAT policy rule. The firewall performs NAT on the IPv4 address (the FQDN resolution) in the DNS response before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service. A single NAT policy rule causes the firewall to perform NAT on packets that match the rule, and also causes the firewall to perform NAT on IP addresses in DNS responses that match the original destination address or translated destination address in the rule.

DNS rewrite occurs at the global level; the firewall maps the Destination Address on the Original Packet tab to the Destination Address on the Translated Packet tab. All other fields on the Original Packet tab are ignored. When a DNS response packet arrives, the firewall checks whether the response contains any A record that matches one of the mapped destination addresses, based on the direction, as follows.

You must specify how the firewall performs NAT on the IP address in the DNS response relative to the NAT rule— reverse or forward:

reverse—If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
forward—If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.

If you have an overlapping NAT rule with DNS Rewrite disabled, and a NAT rule below it that has DNS Rewrite enabled and is included in the overlap, the firewall rewrites the DNS response according to the overlapped NAT rule (in either reverse or forward setting). The rewrite takes precedence and the order of the NAT rules is ignored.

Consider the use cases for configuring DNS rewrite:

Destination NAT

Destination NAT with DNS Rewrite Reverse Use Cases

Next-Generation Firewall Docs

Destination NAT with DNS Rewrite Use Cases

Next-Generation Firewall Docs

Destination NAT with DNS Rewrite Use Cases

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner