DNS rewrite for DNS reply packet is not working

7892

ALG

DNS

NAT

Policy

9.0

9.1

10.0

10.1

PAN-OS

Strata

Symptom

• When a firewall has Destination NAT rules configured with DNS rewrite, the firewall should NAT IP returned by the DNS server in DNS response based on the configured NAT rule.

• The IP address in the DNS response packet From Server to Client is not getting NATed as per NAT Policy.

• Refer to Destination NAT with DNS Rewrite Use Cases and Configure Destination NAT with DNS Rewrite for details

Environment

• Palo Alto Firewalls

• PAN-OS 9.1, 10.1, 10.2

• Destination NAT rule configured with DNS rewrite

• Disable Server Response Inspection (DSRI) checked.

Cause

• One of the reasons DNS rewrite operation can fail is due to "Disable Server Response Inspection'' option enabled/checked in the security policy.

• With "Disable Server Response Inspection '' enabled/checked Firewall stops Layer 7 inspection for response traffic(Server to Client Traffic) and it will stop DNS rewrite operation on DNS response packets.

• Refer to Disable Server Response Inspection BPA Checks for details.

Resolution

1. Disable/Uncheck "Disable Server Response Inspection" in the security policy (GUI: Policies > Security > (select the rule ). Note that DSRI his is disabled by default.

2. Commit the configuration.