Understanding NAT & DNS Proxy on Palo Alto Networks Firewalls

While Network Address Translation (NAT) modifies IP addresses in packet headers, its effectiveness often depends on correct Domain Name System (DNS) resolution, especially in scenarios involving internal users accessing internal resources via public names. Palo Alto Networks firewalls provide features like DNS Proxy to manage this interaction effectively, often eliminating the need for complex U-Turn NAT configurations.

The Problem: Internal Access via Public Name

Consider a common scenario:

What happens? The internal user's DNS query resolves www.mycompany.com to the public IP 203.0.113.50 . The user then tries to connect to this public IP. The traffic hits the firewall. To make this work, the firewall typically needs a U-Turn NAT configuration (both DNAT and SNAT for internal source/public destination) to hairpin the traffic back to the internal server. This can be complex to set up and potentially inefficient.

The Solution: Split-DNS via DNS Proxy

A better approach is "Split-DNS" (also called split-horizon DNS), where DNS resolution provides different answers based on the source of the query. Internal users get the internal IP, while external users get the public IP.

Palo Alto firewalls implement this using the DNS Proxy feature.

DNS Proxy Objects are configured under: Objects > DNS Proxy
DNS Proxy Rules are configured under: Policies > DNS Proxy

How DNS Proxy Works for Split-DNS

  1. Configure internal clients to use the firewall's interface IP address (on their local segment) as their DNS server.
  2. Create a DNS Proxy Object on the firewall. Configure it to handle specific domains.
  3. Within the DNS Proxy Object, define Static Entries . For example, create an entry mapping www.mycompany.com to the internal IP 10.1.1.100 .
  4. Configure the DNS Proxy Object to forward other queries (for domains not listed in static entries) to external DNS servers (like Google DNS, Cloudflare, or your ISP's DNS).
  5. Create a DNS Proxy Rule (under Policies > DNS Proxy) that applies the configured DNS Proxy Object to DNS traffic originating from specific internal zones (e.g., Trust) destined for the firewall interface acting as the DNS server.

Result of DNS Proxy

Benefit: Because the client connects directly to the internal IP, traffic flows directly from the Trust zone to the DMZ zone (or wherever the server is). No U-Turn NAT is needed for this specific access, simplifying NAT policy and potentially improving performance.

Interaction with Security Policy (Using DNS Proxy)

When DNS Proxy provides the internal IP address, the subsequent connection attempt bypasses the need for U-Turn NAT. The Security Policy evaluation is straightforward:

The standard external DNAT rule and its corresponding Security rule (Untrust zone to DMZ zone, Destination IP = Public IP) remain in place for external users.

NAT Rule DNS Rewrite Option

Palo Alto NAT rules also have a "DNS Rewrite" option (Reverse or Forward). This is typically used to ensure consistency when addresses are being translated by the NAT rule itself, rather than as the primary split-DNS mechanism. For example, if doing Static Source NAT, DNS Rewrite (Reverse) can translate embedded IPs in the DNS response payload back to the original source.

For standard split-DNS use cases (internal clients getting internal IPs), DNS Proxy is the dedicated and generally preferred feature .

NAT Rule DNS Rewrite Option Explained

Within Palo Alto Networks NAT policy rules, there's a checkbox option for "DNS Rewrite". This feature allows the firewall to inspect the payload of DNS responses passing through it and modify specific IP addresses found within that payload, corresponding to the address translation being performed by the *same NAT rule*. It has two modes: Reverse and Forward.

This feature is not the primary tool for implementing split-DNS (where internal users get internal IPs and external users get public IPs for the same FQDN) – DNS Proxy is generally preferred for that common use case. DNS Rewrite addresses specific situations where the NAT translation itself might cause inconsistencies if IP addresses are embedded directly in DNS response data.

Option found under: Policies > NAT > [Rule Name] > Translated Packet > DNS Rewrite

DNS Rewrite (Reverse)

DNS Rewrite (Forward)

Key Reminder: DNS Rewrite within NAT rules is for fixing inconsistencies caused by the NAT translation affecting DNS *payloads*. For the common "split-DNS" requirement (internal clients getting internal IPs for internal servers), configure internal clients to use the firewall's IP as their DNS server and use the firewall's DNS Proxy feature with Static Entries. This avoids complex NAT rules and directs internal clients correctly from the start.

NAT & DNS Proxy Quiz

1. What problem does using DNS Proxy primarily solve when internal users try to access internal resources using their public FQDNs?

2. To implement split-DNS using DNS Proxy on a Palo Alto firewall, where do you configure the specific mapping between an FQDN (e.g., `internal.myco.com`) and its internal private IP address (e.g., `10.2.2.20`)?

3. An internal client uses the firewall (configured as a DNS Proxy) for DNS resolution. The client queries `server.internal.lan`, and the DNS Proxy provides the internal IP `10.50.1.100`. Which destination IP address will the client use when initiating the actual connection to `server.internal.lan`?

4. Following the scenario in Question 3, where the internal client connects directly to the internal server's IP `10.50.1.100` (located in the DMZ zone) after DNS Proxy resolution, what should the Destination Address be in the Security Policy rule allowing this connection?

5. Compared to configuring U-Turn NAT, what is a primary advantage of using DNS Proxy for internal clients accessing internal resources via public FQDNs?