Problem using Cloudflare as a resolver with the Palo Alto DNS Proxy for some hosts

nathan29 · February 25, 2025, 2:07am

What is the name of the domain?

awsapps.com

What is the error number?

no error number

What is the error message?

“Truncated, retrying in TCP mode.”

What is the issue you’re encountering

Can’t reliably use Cloudflare’s DNS with the Palo Alto DNS Proxy because resolving some host names will time out.

What steps have you taken to resolve the issue?

I have used dig to confirm that the UDP response from 1.1.1.1 is not a good one for some hosts and dig will successfully retry using TCP. Palo Alto’s DNS Proxy does not have a TCP retry however. As a workaround I am using Google’s 8.8.8.8 DNS to resolve *.awsapps.com for now with the Palo Alto DNS Proxy until this issue is resolved.

What feature, service or problem is this related to?

Nameservers

What are the steps to reproduce the issue?

If I use Cloudflare’s DNS such as 1.1.1.1 for the resolver with Palo Alto’s DNS Proxy then trying to resolve d-9067e46b0f.awsapps.com will time out.

cscharff · February 25, 2025, 2:19am

Hah that can’t possibly be true can it? Have you confirmed this with Palo Alto support?

Do you have TCP Proxy enabled on the Palo?

nathan29 · February 25, 2025, 5:59am

We are using the Palo Alto DNS Proxy as our internal DNS resolver on our LAN. I have a ticket open with Palo Alto regarding this issue, hopefully we can get to the bottom of it… but their DNS Proxy is pretty basic. It doesn’t coordinate with the Palo Alto DHCP server, so that client host names do not automatically get a DNS entry. I’ve had to create DHCP reservations for hosts and then manually create static DNS entries in the DNS Proxy for each host, one by one. There is no indication their DNS Proxy supports DNS-over-TLS, DNS-over-HTTPS, or DNS-over-QUIC. If they do support DNS over TCP, they’re not handling it properly since like I said, when a UDP query doesn’t return the data the Palo Alto DNS Proxy was expecting, the client just ends up with a DNS query timing out.

nathan29 · February 25, 2025, 6:01am

Here’s a comparison of the dig output from Cloudflare vs. Google DNS for a “problem” host:

% dig @1.1.1.1 d-9067e46b0f.awsapps.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.6 <<>> @1.1.1.1 d-9067e46b0f.awsapps.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21837
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;d-9067e46b0f.awsapps.com.	IN	A

;; ANSWER SECTION:
d-9067e46b0f.awsapps.com. 60	IN	A	13.226.241.210

;; Query time: 92 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Feb 24 16:16:29 EST 2025
;; MSG SIZE  rcvd: 69


% dig @8.8.8.8 d-9067e46b0f.awsapps.com

; <<>> DiG 9.10.6 <<>> @8.8.8.8 d-9067e46b0f.awsapps.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48698
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;d-9067e46b0f.awsapps.com.	IN	A

;; ANSWER SECTION:
d-9067e46b0f.awsapps.com. 60	IN	A	18.154.95.162

;; Query time: 89 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 24 16:16:12 EST 2025
;; MSG SIZE  rcvd: 69

cscharff · February 25, 2025, 7:12am

What is happening is none of those things. A response too large for a single UDP packet is retried by a resolver using TCP. I can’t recall what RFC spells that out, but it’s been a feature of standard DNS for decades.

If it isn’t a configuration issue on the Palo you should literally yeet the thing into the river because it’s far more useful as a boat anchor than as an IT tool.

nathan29 · February 25, 2025, 5:05pm

I didn’t mean to imply that the lack of the other DNS query methods was the source of the problem, I mentioned it simply to indicate the lack of development of the Palo Alto DNS Proxy, as in it feels like an afterthought of a feature. I don’t think the service gets much attention because Palo Alto firewalls are expensive devices which means that a lot of customers who use them have other infrastructure which runs DNS internally so they don’t rely on the Palo Alto DNS Proxy, and people aren’t buying a PA firewall for it’s DNS Proxy abilities. It probably sees more use relaying internal DNS records entirely inside customer environments than it does doing public record lookups for hosts inside those networks (which is where we’re encountering this issue).

Palo Alto support, as expensive as it is, is outsourced to a callcenter in India where the people who respond to tickets went through training courses and don’t have that much real-world experience, so dealing with them is frustrating when it comes to bugs like this in their feature set.

Is there a way to figure out why Cloudflare’s DNS returns more data for that lookup than Google’s DNS, other than Wireshark?

nathan29 · February 25, 2025, 8:27pm

Also seeing this issue with *.akamaiedge.net, working around it on the Palo Alto by using Google’s DNS for now.

system · March 12, 2025, 8:27pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS resolution randomly stops working for website DNS & Network	4	2447	June 6, 2020
The domain randomly and inconsistently not resolve DNS DNS & Network	5	30	December 14, 2024
Cloudflare resolves to unreacheble IP DNS & Network	4	50	February 5, 2025
My computer is stuck with my origin server ip instead of using cloudflare proxy? DNS & Network	5	9	March 7, 2025
DNS lookup failing on some VPN locations DNS & Network	4	994	May 31, 2023