Palo Alto Networks - DNS Proxy

DNS Proxy (configured by navigating to Network -> DNS Proxy) is a feature that can be very useful for environments where you do not have dedicated DNS servers, as it allows you to proxy all DNS requests through the firewall, as well as create static entries for forward and reverse lookups.

For example, if you use GlobalProtect in an Always-On configuration, you will need a way for the app to determine when it is on the internal network so that it does not build a VPN tunnel. The static entry below is an example:

See my first GlobalProtect post for additional details regarding internal host detection.

Palo Alto Networks - Bing Safe Search Options

Safe Search allows administrators to block explicit content. This especially important in educational institutions (i.e. K-12). Palo Alto Networks offers multiple ways to enforce this feature. However, each of these options require implementing SSL Forward Proxy, as most search engines now leverage SSL. That being said, Bing does not adhere to the safe search settings over SSL, so it is recommended in the Palo Alto Networks documentation to disable SSL for Bing searches. For some organizations, this may not be a viable option. Luckily, Bing currently offers a DNS method that can be leveraged to ensure that safe search is enforced over SSL. It is recommended to leverage SSL Forward Proxy on the Palo Alto Networks firewall in conjunction with this method so that you have full control and visibility into user searches. Below are the DNS Proxy configuration steps for the firewall if public DNS servers are in use in the environment. Keep in mind that the same objective can be accomplished via an internally managed DNS server, outside of the firewall configuration.

Navigate to Network -> DNS Proxy. Define your servers and the interfaces on which you would like to leverage DNS Proxy.

In the Static Entries tab, define specific FQDNs that you would like to map to specific IP addresses. As you will see below, Bing has an IP specified to enforce Safe Search (you can do an nslookup to verify the current IP that maps to restrict.bing.com).

Navigate to Device -> Setup -> Services -> Service Route Configuration, and select DNS. Verify the interface that is assigned. In my case, it is my trust interface.

Navigate to Policies -> Security. Create a security policy that only allows DNS for the source address specified in the Service Route Configuration. This will ensure that an end user will not be able to enter other DNS servers and successfully bypass your static entries. We are explicitly allowing only the firewall, and all else is denied (assuming you don't have an "allow all" policy configured below this rule).

Upon testing you will find that safe search is enforced. It should be noted that as part of my configuration I have followed Palo Alto Networks best practice of blocking all search engines except for Google, Bing, and Yahoo, so that I can be more granular with how users on my networks are performing searches. This step is optional, but I recommend it because it will make things easier to control.

Palo Alto Networks - Google Safe Search Options

Safe Search allows administrators to block explicit content. This especially important in educational institutions (i.e. K-12). Palo Alto Networks offers multiple ways to enforce this feature. However, each of these options require implementing SSL Forward Proxy, as most search engines now leverage SSL. Luckily, this can also be manually controlled via static entries in the DNS Proxy configuration on the firewall.

Navigate to Network -> DNS Proxy. Define your servers and the interfaces on which you would like to leverage DNS Proxy.

In the Static Entries tab, define specific FQDNs that you would like to map to specific IP addresses. As you will see below, Google has an IP specified to enforce Safe Search.

Navigate to Device -> Setup -> Services -> Service Route Configuration, and select DNS. Verify the interface that is assigned. In my case, it is my trust interface.

Navigate to Policies -> Security. Create a security policy that only allows DNS for the source address specified in the Service Route Configuration. This will ensure that an end user will not be able to enter other DNS servers and successfully bypass your static entries. We are explicitly allowing only the firewall, and all else is denied (assuming you don't have an "allow all" policy configured below this rule).

Upon testing you will find that safe search is enforced. It should be noted that as part of my configuration I have also blocked all search engines except for Google, so that I can be more granular with how users on my networks are performing searches. This step is optional, but I recommend it because it will make things easier to control.