- Newest
- Most votes
- Most comments
Hi, let's work from your end goal. Are you trying to forward all DNS queries/responses that originate in your spoke-VPC to a Palo Alto firewall instance? This may be a routing issue in your VPC. What is the configuration of your outbound DNS resolver endpoint? In addition to the default route, do you have any other routes in the DNS resolver endpoint subnet?
PS: the packet will be forwarded from the spoke-VPC directly to the TGW in the 'forward' direction. The TGW will forward traffic to the Spoke-VPC-TGW-subnet on the return path.
I encountered the same issue and found that the default DNS configuration for the client is 127.0.0.53, so the traffic cannot pass through Palo Alto. So I solved the problem by modifying the client's DNS server to 8.8.8.8. You can try it out.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago