DNS Query from ec2 instance not hitting Palo alto firewall

Question

We are facing an issue in our setup. We are unable to see the DNS query traffic in Palo alto firewall,

But we can see the response to dns query from dns server to the host machine. We had a support call with palo alto, but we could not find anything abnormal in firewall. Below is the traffic flow and diagram.

DNS Traffic : Query from host >  Spoke vpc TGW eni > TGW > Transit vpc tgw eni > via local route to route 53 resolver endpoint > default route to GWLB endpoint > firewall > GWLB endpoint > TGW > Spoke VPC tgw eni > Host

I need some pointers here.... please provide your inputs

Answer

Hi, let's work from your end goal. Are you trying to forward all DNS queries/responses that originate in your spoke-VPC to a Palo Alto firewall instance? This may be a routing issue in your VPC.
What is the configuration of your outbound DNS resolver endpoint? In addition to the default route, do you have any other routes in the DNS resolver endpoint subnet?

PS: the packet will be forwarded from the spoke-VPC directly to the TGW in the 'forward' direction. The TGW will forward traffic to the Spoke-VPC-TGW-subnet on the return path.

Answer

I encountered the same issue and found that the default DNS configuration for the client is 127.0.0.53, so the traffic cannot pass through Palo Alto. So I solved the problem by modifying the client's DNS server to 8.8.8.8. You can try it out.

DNS Query from ec2 instance not hitting Palo alto firewall

관련 콘텐츠