PAN NGFW IPv6 NDP RA RDNSS & DNSSL

Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how Windows and Linux react on it.

I am using a PA-200 firewall with PAN-OS 8.0.3. The two features (RDNSS & DNSSL) are new since version 8.0 and are specified in RFC 6106, IPv6 Router Advertisement Options for DNS Configuration. (Shit, I just saw that it is already obsoleted by RFC 8106. Anyway…) Using router advertisements along with the RDNSS option allows an IPv6-only host to be operational without the need of stateless DHCPv6 for getting the DNS server. Great.

Windows & Linux Before RDNSS

Before I configured the option on the Palo Alto firewall I captured the network settings as well as a basic DNS request on a Windows 7 machine and a Ubuntu 16.04.2 LTS. Note that the DNS queries are sent via legacy IP (IPv4) since the DNS server was known through DHCPv4 only.

Windows:

Linux:

Palo Alto IPv6 DNS Support

The RDNSS & DNSSL settings are, as always, configurable through the great GUI from Palo Alto Networks. They are at the network interfaces (in my case layer 3 subinterfaces) -> IPv6 -> DNS Support. Note that it is mandatory that the “Enable Router Advertisement” checkmark  on the “Router Advertisement” tab is enabled because otherwise no RAs would be sent at all. ;) And don’t forget to commit.

Here are my settings. I am using my BIND recursive DNS server along with a DNS suffix:

Capturing with Wireshark you can see the two new options within the RA:

(By the way: Note that PAN sends its “prefix information” with the IPv6 address of the interface rather than the mere prefix. In my case it sends 2003:51:6012:125::1/64  rather than 2003:51:6012:125::/64 . This is ok due to RFC 4861, section 4.6.2 though a bit irritating from my point of view. Short discussion about that on Twitter.)

Windows & Linux with RDNSS

I gathered the same information as before from Windows and Linux. Disillusion: Nothing changed. Neither Windows nor Linux are using the RDNSS/DNSSL options. ;( What a mess. It’s such a great option which could eliminate the need for a stateless DHCPv6 server. Short discussion about Windows support for RDNSS here.

At least for Linux I found a really simply way to use it though: rdnssd – IPv6 Recursive DNS Server discovery Daemon. After installing it ( sudo apt-get install rdnssd ) the Ubuntu machine learned and used the IPv6 enabled DNS server:

Yeah. ;)

Conclusion

One more time I am happy that Palo Alto Networks really enhances its platform and its IPv6 support with every new PAN-OS version. RDNSS is only one of many points. However, as long as Microsoft will not use this feature customers will need a stateless DHCPv6 server for delivering the DNS server to the clients. But this feature is still missing on Palo Alto firewalls. ;(

Featured image: “Outdoor Bücher” by Robert Agthe is licensed under CC BY 2.0.

1 thought on “PAN NGFW IPv6 NDP RA RDNSS & DNSSL

Leave a Reply

Your email address will not be published. Required fields are marked *