Configure the DNS Service on the Prisma SD-WAN Interface
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
- Prisma SD-WAN Incidents and Alerts
Configure the DNS Service on the Prisma SD-WAN Interface
Prisma SD-WAN
InterfaceConfigure DNS Roles and Profiles from the
Prisma SD-WAN
. DNS Service
provides a rich suite of Domain Name System Services directly to branch users and
devices.Where Can I Use
This? | What Do I
Need? |
---|---|
|
|
Domain Name System (DNS) is a protocol that translates (resolves) a
user-friendly domain name to an IP address so that users can access computers,
websites, services, or other resources on the internet or private networks.
Create and configure both DNS Service Roles and DNS Service Profiles
from the
Prisma SD-WAN
web interface. After the DNS roles and
profiles are created, enable the DNS service on the branch ION device.Locally significant configuration and attributes are specified at the device-level
DNS service configuration, effectively augmenting or, in some cases overriding the
configuration specified in the DNS Service Profile.
DNS Service Roles
is used to group interfaces
that have common functions. Some interfaces listen for DNS requests, while others
only forward DNS requests. In some cases, interfaces listen and forward DNS
requests. After you assign a role to a specific DNS server's IP address in a global
DNS service profile, the role gets assigned at the device level. DNS
Service Profiles
is used to specify configuration
parameters for the DNS service. Commonly configured parameters include DNS Servers,
Domain to Address Mapping, Cache Configuration, and DNSSEC Configuration. After the
DNS service profile is created, it is bound to a device. The following topics
describe how to configure the DNS Service on the Prisma SD-WAN
web
interface and the ION device.Configure DNS Roles
The
Prisma SD-WAN
DNS Service provides a rich suite
of Domain Name System Services directly to branch users and devices. The DNS
service responds to DNS queries from a local cache, or forwards queries to
upstream DNS servers. It retains the host details to ensure that local host
names do not appear in the global DNS. The Prisma SD-WAN
DNS
service acts as a caching or authoritative server on devices in an assigned
state for a branch site.To access the DNS service, administrators must have support, super, network
admin, security admin, and view only permissions. Navigate to the DNS service
from the
Prisma SD-WAN
web interface.- Selectand clickManageResourcesConfiguration ProfilesDNSDNS Service RolesCreate DNS Role.
- Enter theName,(Optional)Description, and(Optional)Tagsfor the DNS Service role.
- ClickSave.The DNS Role screen displays the name of the DNS service, the number of DNS services, and DNS profiles using this role.
Configure DNS Profiles
Create a
DNS Profile
from the
Prisma SD-WAN
web interface.- Selectand clickManageResourcesConfiguration ProfilesDNSDNS Service RolesCreate DNS Profile.
- EnterBasicinformation for the profile, select to retain strict domain names and DNS loop detection, and add a DNS server.
- Enter theName,(Optional)Description, and(Optional)Tagsfor the DNS service profile.
- Select toEnable strict domain nameand toEnable DNS loop detection.
- (Optional)Enter theMax EDNS Packetssize.The default size is 4096.
- (Optional)Choose aListen DNS Rolefrom the drop-down and enter theListen Portnumber.The default value is 53. The optional value must be between 1 to 65535.Roles created as part of the DNS service are listed in theListen DNS Rolefield.
- (Optional)Select the optionSend to all DNS Servers.
- Add a DNS server, by specifying theDNS Server IPand(Optional)DNS Server Port.
- Select either IP Prefix or Domain and enter the required information.Configuring theIP Prefixforwards PTR (reverse lookups) for the specified subnet to the DNS server.Configuring theDomain Nameoption forwards name resolution request for the specified domain(s) to the DNS server.
- (Optional)Choose aForward DNS Rolefrom the drop-down and enter theSource Port.Roles created as part of the DNS service are listed in theForward DNS Rolefield.
- MapDomain to Addressto enable you to specify DNS responses with the configured mapping.TheDomain to Addressmapping and the IP address must be unique.
- ClickAddto add a domain address.
- Specify theDomain Nameand theIP Prefix.
- Specify theQueries and Responsesparameters to append the client metadata to the DNS query as it is sent to the upstream DNS server.DNS responses can also be overridden or can block specific responses entirely.
- SelectAdd a Clientand specify theMac Encoding Format.
- Enter aCustom Textand anIdentifier, or choose theElement ID/Elementfrom the drop-down.
- Add a newSubnetby entering the(Optional)IP Addressand thePrefix Length.
- Select toDisable private IP lookups.If required, enterMax TTLandLocal TTLvalues in seconds.
- (Optional)Enter IP addresses that can be identified asBogus NX DomainsandIgnore IP Addresses.
- Create newAliasesby replacing the IP address.This can be done by either choosing to replace theOriginal IP Prefixor retaining theOriginal IP Rangeby entering the original start IP and original end IP.
- Specify theCache and DNSSec proxyconfigurations.
- Select toDisable Negative Cachingoption.If required, include values in seconds forMin Cache TTL,Max Cache TTL,Cache Size, andNegative Cache TTL.
- Select toStop dns rebind for private ipand toEnable localhost rebind.
- (Optional)Enter the names of theRebind Domains.
- Select to enable theDNSSEC Proxy andDNSSEC Configoptions.
- Enter information onClass,Domain,Key Tag, andAlgorithmtoAdda newTrust Anchor.
- Add a record by entering basic information inAuthoritative Configor enter secondary server details.
- (Optional)EnterSecondary Serverdetails,Peers, andTTL valuein seconds.
- ToAdda record, enter theName(record names are listed in the drop-down),Flags,Tag, andValue.
- Complete all configuration requirements andSubmit.
Configure DNS Service on the ION Device
After you configure the DNS Service Roles and DNS Service Profiles, enable the
DNS Service at the device-level. Only a single instance is allowed per ION
device. You can map a DNS Service Profile to a DNS Service, assign interfaces to
the DNS service role mappings, and specify device-specific attributes. The DNS
service can be enabled or disabled as required. To configure the DNS service on
the ION device:
- Select.WorkflowsDevicesClaimed DevicesSelect the deviceConfigure the deviceDNS ServiceThe ION devices on version 6.2.1 and later support IPv6 servers.
- Configure theService Infotab.
- Enable the DNS service to ensure that the DNS profile selected is not optional.Once the DNS service is enabled, it would be activated for both IPv4 and IPv6 addresses.
- Enter a Name,(Optional)Description, and include(Optional)Tagsfor the DNS Service.
- Select to maintain strict domain name and enable DNS loop detection options.
- Select a DNS Profile from the drop-down.These will include profiles that are created at the user interface level.
- (Optional)Include values forMax Concurrent DNS Queriesand theCache Size.The default value is 150.
- ClickAddto bind a role to the DNS Service.
- In theAdd New Recorddialog, choose the DNS Role, select theInterfaceor enter theInterface IP.The ION devices on version 6.2.1 and later support IPv6 servers.
- Configure theQueries Metadatatab.
- (Optional)Configure the metadata underCustomer Premises Equipment.If the entered values differ from the DNS Service Profile, the DNS Service values is considered.
- In theAdd New Recorddialog, enter the(Optional)IP Addressand thePrefix Length.This option is configured at both the user interface level and the device level.
- Configure theDomain Mappingtab.
- (Optional)Add the domain names to the configured IP address and the configured interfaces.If the entered values differ from the DNS Service Profile, the DNS Service values is considered.
- In theDomain to Interfacesection, clickAddto enter the Domain Names and choose anInterfacefrom the drop-down.
- Complete all configuration requirements andSubmit.