Configure a DNS Proxy Object
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure a DNS Proxy Object
Configure a DNS proxy object.
If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy
Object. The proxy object can either be shared among all virtual systems
or applied to a specific virtual system.
When the firewall is enabled to act as a DNS proxy, evasion signatures that
detected crafted HTTP or TLS requests can alert to instances where a client
connects to a domain other than the domains specified in the original DNS query.
As a best practice, Enable Evasion Signatures after
configuring DNS proxy to trigger an alert if crafted requests are detected.
- Configure the basic settings for a DNS Proxy object.
- Select NetworkDNS Proxy and Add a new object.
- Verify that Enable is selected.
- Enter a Name for the object.
- For Location, select the virtual system to which the object applies. If you select Shared, you must specify at least a Primary DNS server address, and optionally a Secondary address.
- If you selected a virtual system, for Server Profile, select a DNS Server profile or else click DNS Server Profile to configure a new profile. See Configure a DNS Server Profile.
- For Inheritance Source, select a source from which to inherit default DNS server settings. The default is None.
- For Interface, click Add and specify the interfaces to which the DNS Proxy object applies.
- If you use the DNS Proxy object for performing DNS lookups, an interface is required. The firewall will listen for DNS requests on this interface, and then proxy them.
- If you use the DNS Proxy object for a service route, the interface is optional.
- (Optional) Specify DNS Proxy rules.
- On the DNS Proxy Rules tab, Add a Name for the rule.
- Turn on caching of domains resolved by this mapping if you want the firewall to cache the resolved domains.
- For Domain Name, Add one or more domains, one entry per row, to which the firewall compares FQDN queries. If a query matches one of the domains in the rule, the query is sent to one of the following servers to be resolved (depending on what you configured in the prior step):
- The Primary or Secondary DNS Server directly specified for this proxy object.
- The Primary or Secondary DNS Server specified in the DNS Server profile for this proxy object.
DNS Proxy Rule and FQDN Matching describes how the firewall matches domain names in an FQDN to a DNS proxy rule. If no match is found, default DNS servers resolve the query. - Do one of the following, depending on what you set the Location to:
- If you chose a virtual system, select a DNS Server profile.
- If you chose Shared, enter a Primary and optionally a Secondary address.
- Click OK.
- (Optional) Supply the DNS Proxy with static FQDN-to-address entries. Static DNS entries allow the firewall to resolve the FQDN to an IP address without sending a query to the DNS server.
- On the Static Entries tab, Add a Name.
- Enter the Fully Qualified Domain Name (FQDN).
- For Address, Add the IP address to which the FQDN should be mapped.You can provide additional IP addresses for an entry. The firewall will provide all of the IP addresses in its DNS response and the client chooses which address to use.
- Click OK.
- (PAN-OS 11.2.1 and later releases) (Optional) Configure the DNS proxy to accept encrypted DNS queries from DNS clients and send encrypted DNS queries to DNS servers.
- On the Encrypted DNS tab, Enable Encrypted DNS.If Enable Encrypted DNS isn't selected, the DNS proxy sends cleartext DNS requests to DNS servers, whether the client DNS request is encrypted or not.
- For Server Settings, select one Connection Type that the firewall (DNS proxy) will use to communicate with DNS servers:
- DoH—DNS over HTTPS (Hypertext Transfer
Protocol Secure). DoH uses port 443. When encrypted DNS is
enabled and DoH is the connection type:
- A primary DNS address is required and the DNS proxy sends all DNS requests to the primary DNS server using DoH. If no response arrives from the primary DNS server, the DNS proxy sends DoH requests to the secondary DNS server.
- No other HTTPS services are allowed on the interface that is acting as a DNS proxy.
- An SSL decryption policy must be configured from the DNS client to DNS server so that the DNS proxy can decrypt DoH traffic.
- DoT—DNS over TLS (Transport Layer
Security). DoT uses port 853, which is dedicated to DoT traffic.
When encrypted DNS is enabled and DoT is the connection type:
- A primary DNS address is required and the DNS proxy sends all DNS requests to the primary DNS server using DoT. If no response arrives from the primary DNS server, the DNS proxy sends DoT requests to the secondary DNS server.
- No other TLS services are allowed on the interface that is acting as a DNS proxy.
- Origin—DNS proxy sends all DNS requests to the primary DNS server using the same DNS type as that received from the client. A primary DNS address is required. If the DNS proxy receives no DNS response from the primary DNS server within the TCP timeout period, the DNS proxy sends the DNS request to the secondary DNS server.
- Cleartext—Plain, unencrypted DNS traffic.
- DoH—DNS over HTTPS (Hypertext Transfer
Protocol Secure). DoH uses port 443. When encrypted DNS is
enabled and DoH is the connection type:
- Select Fallback on Unencrypted DNS to have the DNS proxy fall back to traditional DNS (cleartext) if the DNS server rejects encrypted DNS or times out (the DNS proxy receives no response of the configured connection type [DoH or DoT] from the primary or secondary DNS server within the configured TCP timeout period).
- Enter the TCP Timeout (sec) in seconds, the length of time by which the primary DNS server must respond before the DNS query goes to the secondary DNS server, and the length of time by which the secondary DNS server must respond before the DNS query falls back to cleartext DNS communications; range is 1 to 10; default is 1 second.
- For Client Settings, select one or more Allowed DNS Types that the DNS proxy will accept from the client:
- DoH—DNS proxy must decrypt DoH traffic
and proxy DNS as specified for Server Settings:
- If Origin is the Server Setting, the DNS proxy sends DNS requests as DoH.
- If DoH is the Server Setting, the DNS proxy sends DNS requests as DoH.
- If DoT is the Server Setting, the DNS proxy sends DNS requests as DoT.
- DoT—DNS proxy must decrypt DoT traffic
and proxy DNS as specified for Server Settings:
- If Origin is the Server Setting, the DNS proxy sends DNS requests as DoT.
- If DoH is the Server Setting, the DNS proxy sends DNS requests as DoH.
- If DoT is the Server Setting, the DNS proxy sends DNS requests as DoT.
- Cleartext—DNS proxy must proxy DNS
requests as specified for Server Settings:
- If Origin is the Server Setting, the DNS proxy sends DNS requests as cleartext.
- If DoH is the Server Setting, the DNS proxy sends DNS requests as DoH.
- If DoT is the Server Setting, the DNS proxy sends DNS requests as DoT.
- DoH—DNS proxy must decrypt DoH traffic
and proxy DNS as specified for Server Settings:
- Select an SSL/TLS Service Profile or create a new SSL/TLS Service Profile to use for DNS encryption between the client and DNS proxy, or select None.
- Click OK.
- Enable caching and configure other advanced settings for the DNS Proxy.
- On the Advanced tab, select TCP Queries to enable DNS queries using TCP.
- Max Pending Requests—Enter the maximum number of concurrent, pending TCP DNS requests that the firewall will support (range is 64 to 256; default is 64).
- For UDP Queries Retries, enter:
- Interval (sec)—Length of time (in seconds) after which another request is sent if no response has been received (range is 1 to 30; default is 2).
- Attempts—Maximum number of UDP query attempts (excluding the first attempt), after which the next DNS server is queried (range is 1 to 30; default is 5.)
- Select Cache to enable the firewall to cache FQDN-to-address mappings that it learns. You must enable Cache (enabled by default) if this DNS proxy object is used for queries that the firewall generates (that is, under DeviceSetupServicesDNS, or under DeviceVirtual Systems and you select a virtual system and GeneralDNS Proxy.
- Select Enable TTL to limit the length of time the firewall caches DNS resolution entries for the proxy object. Disabled by default.
- Enter Time to Live (sec), the number of seconds after which all cached entries for the proxy object are removed. After the entries are removed, new DNS requests must be resolved and cached again. Range is 60 to 86,400. There is no default TTL; entries remain until the firewall runs out of cache memory.
- Cache EDNS Responses—You must enable this setting if this DNS proxy object is used for queries that the firewall generates (that is, under DeviceSetupServicesDNS, or under DeviceVirtual Systems and you select a virtual system and GeneralDNS Proxy.
- Commit your changes.Click OK and Commit.