DNS Overview
DNS performs a crucial role in enabling user access to network resources so that users don't need
to remember IP addresses, and individual computers don't need to store a huge volume of
domain names mapped to IP addresses. DNS employs a client/server model; a DNS server
resolves a query for a DNS client by looking up the domain in its cache and if necessary
sending queries to other servers until it can respond to the client with the
corresponding IP address.
The DNS structure of domain names is hierarchical; the top-level
domain (TLD) in a domain name can be a generic TLD (gTLD): com,
edu, gov, int, mil, net, or org (gov and mil are for the United
States only) or a country code (ccTLD), such as au (Australia) or
us (United States). ccTLDs are generally reserved for countries and
dependent territories.
A fully qualified domain name (FQDN) includes at a minimum a
host name, a second-level domain, and a TLD to completely specify
the location of the host in the DNS structure. For example, www.paloaltonetworks.com
is an FQDN.
Wherever a Palo Alto Networks® firewall uses an FQDN in the user interface or CLI, the
firewall must resolve that FQDN using DNS. Depending on where the FQDN query originates,
the firewall determines which DNS settings to use to resolve the query.
A DNS record of an FQDN includes a time-to-live (TTL) value,
and by default the firewall refreshes each FQDN in its cache based
on that individual TTL provided the DNS server, as long as the TTL
is greater than or equal to the
Minimum FQDN Refresh
Time you configure on the firewall, or the default setting
of 30 seconds if you don’t configure a minimum. Refreshing an FQDN
based on its TTL value is especially helpful for securing access
to cloud platform services, which often require frequent FQDN refreshes
to ensure highly available services. For example, cloud environments
that support autoscaling depend on FQDN resolutions for dynamically
scaling services up and down, and fast resolutions of FQDNs are
critical in such time-sensitive environments.
By configuring a minimum FQDN refresh time, you limit how small
a TTL value the firewall honors. If your IP addresses don’t change
very often you may want to set a higher Minimum FQDN Refresh Time
so that the firewall doesn’t refresh entries unnecessarily. The
firewall uses the higher of the DNS TTL time and the configured
Minimum FQDN Refresh Time.
For example, two FQDNs have the following TTL values. The Minimum
FQDN Refresh Time overrides smaller (faster) TTL values.
| TTL | If Minimum FQDN Refresh = 26 | Actual Refresh Time |
The FQDN refresh timer starts when the firewall receives a DNS
response from the DNS server or DNS proxy object that is resolving
the FQDN.
Additionally, you can set a
stale timeout to
configure how long the firewall continues to use stale (expired)
FQDN resolutions in the event of an unreachable DNS Server. At the
end of the stale timeout period, if the DNS server is still unreachable,
the stale FQDN entries become unresolved (the firewall removes stale
FQDN entries).
Beginning with PAN-OS 11.2.1 and later releases, you can
use encrypted DNS for DNS proxy. You can also use encrypted DNS for the management
interface, whether the management interface connects to DNS servers or uses a DNS proxy.
Encrypted DNS increases user privacy and security for DNS traffic between a client and
server by preventing man-in-the-middle attacks. Encrypted DNS occurs between these
devices:
- For the management interface, encrypted DNS occurs between the firewall and the DNS
server.
- For DNS proxy, you can configure encrypted DNS in both directions; you specify one
or more types of encrypted DNS the firewall will accept from the DNS client, and you
specify just one type of encrypted DNS the firewall will use with the DNS
server.
The firewall supports two DNS encryption types: DNS over
HTTPS (DoH) and DNS over TLS (DoT). You have the option for the firewall to fall back on
traditional DNS (cleartext) if the DNS server rejects encrypted DNS or times out
(receives no response from the primary or secondary DNS server within the configured TCP
timeout period). When encrypted DNS is configured for an interface, that interface must
not host other traffic on TCP ports 443 or 853.
The following firewall tasks are related to DNS:
- Configure your firewall with at least one DNS server so it can resolve hostnames. Configure
primary and secondary DNS servers or a DNS Proxy object that specifies such servers,
as shown in Use Case 1: Firewall Requires DNS Resolution.
- (PAN-OS 11.2.1 and later releases) Configure
encrypted DNS for the management interface, as shown in Perform Initial Configuration.
- Configure a DNS Proxy Object.
- (PAN-OS 11.2.1 and later releases) Configure
encrypted DNS for a DNS Proxy Object..
- Customize how the firewall handles DNS resolution initiated by Security policy rules, reporting,
and management services (such as email, Kerberos, SNMP, syslog, and more) for each
virtual system, as shown in Use Case 2: ISP Tenant
Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and
Services within its Virtual System.
- Configure the firewall to act as a DNS server for a client, as shown in Use Case 3: Firewall
Acts as DNS Proxy Between Client and Server.
- Configure an Anti-Spyware profile to Use DNS Queries to Identify Infected Hosts on the
Network.
- Enable Evasion Signatures and then enable
evasion signatures for threat prevention.
- Configure an Interface
as a DHCP Server. This enables the firewall to act as a DHCP Server and
sends DNS information to its DHCP clients so the provisioned DHCP clients can reach
their respective DNS servers.
