About DNS Security Subscription Services
Palo Alto Networks® offers DNS Security and Advanced DNS Security cloud subscriptions for integrated protection against DNS-based threats. Both subscriptions require an Advanced Threat Prevention or Threat Prevention license.
The DNS Security cloud service utilizes machine learning, predictive analytics, and diverse threat intelligence to generate enhanced signatures and perform real-time analysis. It defends against various threats like DNS tunneling , DNS rebinding , auto-generated domains (DGA) , and malware hosts .
Threat Prevention integration allows sinkholing of malicious DNS requests. While downloadable local signature lists exist, the cloud-based service offers a significantly larger, infinitely scalable database with real-time updates and advanced analysis capabilities not present locally.
Advanced DNS Security (PAN-OS 11.2+) complements DNS Security by focusing on detecting DNS hijacking and misconfigured domains through the inspection of DNS *responses* in real-time. DNS hijacking involves compromising DNS infrastructure, while misconfigured domains arise from incorrect or outdated DNS records allowing attackers to take over subdomains.
Advanced DNS Security uses cloud-based detection engines with ML analysis, providing automatic, cloud-side updates. Initial engines include DNS Misconfiguration Domains and Hijacking Domains analysis. Both DNS Security and Advanced DNS Security are enabled and configured through the Anti-Spyware (or DNS Security) profile .
Mermaid Diagram: Core DNS Security Process
Illustrates the process by which DNS Security and Advanced DNS Security categorize domains based on various threat intelligence sources and analysis techniques.
Cloud-Delivered DNS Signatures and Protections
As cloud-based services, Advanced DNS Security and DNS Security provide access to an infinitely scalable source of DNS signatures and protections against malicious domains. Palo Alto Networks generates these from sources like WildFire , passive DNS, web crawling, sandbox analysis, Honeynet, DGA reverse engineering, telemetry, whois, Unit 42 , and third-party feeds like the Cyber Threat Alliance .
This cloud database offers the complete, ever-expanding DNS signature set, including those generated by advanced analysis techniques, and supports real-time DNS request analysis. In contrast, locally available, downloadable signature sets (part of antivirus/WildFire updates) have a hard-coded limit of 100k signatures and lack these advanced analysis capabilities. The cloud service provides instant access to new signatures without manual updates. If connectivity fails, the firewall falls back to the onbox signature set.
Illustrates the flow of DNS queries and the role of the cloud service in analysis.
The DNS Security service performs real-time DNS request analysis using predictive analytics and machine learning. Protections are applied via the Anti-Spyware Security profile attached to Security policy rules. You can configure separate policy actions (e.g., sinkhole ) and log severity for each threat category.
Palo Alto Networks also maintains a list of explicitly allowed domains based on PAN-DB and Alexa metrics, accessible through content releases.
Note: PAN-OS 9.1 and earlier versions support a limited range of DNS Security source categories.
Supported DNS Threat Categories
DNS Security and Advanced DNS Security detect the following categories. The universal threat ID (UTID) indicates the specific detection mechanism in Threat logs.
-
Command and Control Domains (C2)
—Used by malware/compromised systems for communication (commands, data exfiltration). Includes:
- DNS Tunnel Detection (UTID: 109001001/109001002)—Detects encoding non-DNS data within DNS queries/responses using ML analysis of query patterns (n-gram, entropy, rate). Allows blocking hidden C2 or data theft.
-
DGA Domain Detection
(UTID: 109000001)—Detects domains
auto-generated
algorithmically (e.g., by Pushdo, BankPatch, CryptoLocker) for C2, often to evade blocking.
- Dictionary DGA (UTID: 109000002)—Specific DGA variant using preset terms to appear legitimate.
- NXNSAttack (UTID: 109010007)—Detects attacks exploiting a DNS protocol vulnerability to launch DDoS-like amplification against authoritative servers via recursive resolvers.
- DNS Rebinding (UTID: 109010009)—Detects attacks manipulating domain resolution (short TTL) to bypass the same-origin policy and use client machines to attack private networks.
- DNS Infiltration (UTID: 109001003)—Detects malicious actors hiding payloads in A/AAAA records of multiple subdomains to be reassembled and executed on the client.
- DNS Traffic Profiling (UTID: 109010010)—(Requires Advanced DNS Security ) Cloud-based ML analyzer detecting C2 based on vectorized DNS traffic patterns matching malicious profiles.
- Dynamic DNS Hosted Domains (DDNS) (UTID: 109020002)—Detects malicious use of DDNS services (which map hostnames to changing IP addresses) to hide C2 servers and evade detection.
-
Malware Domains
—Host and distribute malware (executables, viruses, drive-by downloads). Distinct from C2 (payload delivery vs. post-infection communication). Includes:
- Malware Compromised DNS (UTID: 109003001)—Detects seemingly genuine but malicious hostnames/subdomains, including newly observed ones mimicking legitimate hosts or domain shadowing after account compromise.
- Ransomware Domains (UTID: 109003002)—Detects domains distributing ransomware via seemingly legitimate downloads.
- Malicious TDS Domains (UTID: 109003003)—Detects intermediary servers (Traffic Distribution Systems) used to redirect users to malicious content or exploit kits.
- Newly Registered Domains (NRDs) (UTID: 109020001)—Detects domains registered within the last 32 days, commonly used for temporary malicious campaigns (C2, malware, spam, PUP/adware). Detected by monitoring registries, registrars, zone files, passive DNS, WHOIS.
- Phishing Domains (UTID: 109010001)—Detects domains attempting to steal sensitive data (credentials, personal info) by impersonating legitimate sites via phishing or pharming.
-
Grayware Domains
(UTID: 109010002)—(PAN-OS 8290+) Domains posing indirect threats or undesirable behavior. Includes:
- Attempting to trick users into granting remote access.
- Subdomain reputation (UTID: 109002004)—Detects malicious content hosted on subdomains of popular services.
- Adware and unsolicited applications (cryptominers, hijackers, PUPs).
- Fastflux detection (UTID: 109010005)—Detects rapid changes in IP addresses associated with a domain to evade detection.
- Malicious NRD (UTID: 109010006)—Newly registered domains showing malicious behavior.
- Dangling DNS (UTID: 109010008)—Detects stale or improperly configured DNS records redirecting traffic to malicious sites.
- Illegal activities or scams.
- Wildcard abuse (UTID: 109002001)—Detects wildcard DNS entries used to evade block lists or for attacks.
- Anomaly detection —Detects anomalous DNS traffic patterns compared to baseline profiles.
- Strategically-aged domains (UTID: 109002002)—Detects domains registered long in advance and left dormant before activation.
- Stockpile Domain detection (UTID: 109002005)—Detects unused domains registered with probable malicious intent based on certificate logs.
- Cybersquatting / Typosquatting domains (UTID: 109002003)—Detects domains resembling popular brands or common typos to deceive users.
- Domain Masquerading (UTID: 109002006)—Detects attackers initially mapping harmful domains to reputable IPs then switching to malicious ones.
- Parked Domains (UTID: 109010003)—(PAN-OS 8318+) Detects inactive domains hosting ads; can be vectors for malware.
- Proxy Avoidance and Anonymizers (UTID: 109010004)—(PAN-OS 8340+) Detects traffic to services used to bypass content filtering policies.
-
Ad Tracking Domains
(UTID: 109004000)—(PAN-OS 8586+) Delivers marketing content and tracks user engagement. Includes:
- CNAME Cloaking (UTID: 109004001)—Detects URL concealment via CNAMEs that circumvent browser privacy.
- Hijacked Domains (UTID: 109004000)—(Requires Advanced DNS Security ) Detects domains where attackers redirect legitimate domain resolution to their IPs by compromising DNS infrastructure.
-
Misconfiguration Domains
(UTID: 109004000)—(Requires
Advanced DNS Security
) Detects malicious domains incorporated via domain configuration issues or outdated DNS records.
- Misconfiguration Zone : (UTID: 109004200)—Generic misconfiguration category.
- Misconfiguration Zone Dangling (UTID: 109004201)—Specific detection for misconfigured/stale records causing redirection.
- Misconfiguration Claimable NX (UTID: 109004202)—Detects misconfigured non-existent domains that attackers could register.
Attribution details for domains like
DNS tunneling
are available in Threat logs (Threat ID/Name field), ThreatVault, and URL Filtering Test A Site, showing tools and associated campaigns (e.g., Tunneling:
Mermaid Diagram: Supported Threat Categories Overview
Overview of DNS threat categories detected by DNS Security and Advanced DNS Security (ADNS), including categories specific to ADNS.
Data Collection and Logging
The DNS Security service collects server response and request information based on your security policy rules and DNS query details. This data is used to generate DNS Security logs for Strata Logging Service -based applications (AIOps for NGFW Free, Prisma Access, Strata Logging Service, etc).
Supplemental DNS data (like provider ASN, hosting info, geolocation) is also forwarded to the DNS Security cloud servers for improved analytics and detection capabilities. This occurs quickly, typically under 30 seconds. Note that DNS Security telemetry has minimal overhead, meaning only a subset of DNS queries are sent as DNS Security log entries to Strata Logging Service . Therefore, Palo Alto Networks recommends viewing logs for *malicious* DNS requests as threat logs, as these are forwarded in their entirety via standard PAN-OS log forwarding.
DNS Security can submit the following data fields:
| Field | Description |
|---|---|
| Action | Displays the policy action taken on the DNS query. |
| Type | Displays the DNS record type. |
| Response | The IP address that the domain in the DNS query got resolved to. |
| Response Code | The DNS response code that was received as an answer to your DNS query. |
| Source IP | The IP address of the system that made the DNS request. |
| Source User | When the firewall User-ID feature is enabled, the identity of the DNS requester is shown. |
| Source Zone | The configured source zone referenced in your security policy rule. |
Expanded data collection is bypassed for domains added to the Allow list in DNS Exceptions.
Data fields identifying users ( Source IP , Source User , Source Zone ) can be masked from automatic submission using the CLI command: set deviceconfig setting ctd cloud-dns-privacy-mask yes . Remember to commit changes.
Mermaid Diagram: DNS Security Data Flow
Visualizes the data flow from DNS query reception and cloud lookup to logging in Strata Logging Service.
Regional Service Domains
Palo Alto Networks maintains a network of global and regional domains that provide service for DNS Security and Advanced DNS Security operations. These service domains operate real-time DNS request analyzers, access to the DNS signature database and provide advanced cloud-dependent functionality. By default, DNS Security and Advanced DNS Security connects to the global service domains ( dns.service.paloaltonetworks.com and adv-dns.service.paloaltonetworks.com ,respectively), which then automatically redirect to the regional domain that is closest to the network security platform location.
Advanced DNS Security Regional Service Domains
You can manually specify the server used to facilitate Advanced DNS Security queries. While Palo Alto Networks recommends using the default global service domain, you can override the selected server if you encounter higher than expected latency or other service-related issues.
This setting does not impact how standard DNS Security queries are handled.
The following table lists the service domains used by Advanced DNS Security :
| Location | URL |
|---|---|
| Cape Town, South Africa | dns-za.service.paloaltonetworks.com |
| Bahrain | dns-bh.service.paloaltonetworks.com |
| Paris, France | dns-fr.service.paloaltonetworks.com |
| Tokyo, Japan | dns-jp.service.paloaltonetworks.com |
| Singapore | dns-sg.service.paloaltonetworks.com |
| Sydney, Australia | dns-au.service.paloaltonetworks.com |
| London, England | dns-uk.service.paloaltonetworks.com |
| Frankfurt, Germany | dns-de.service.paloaltonetworks.com |
| Eemshaven, Netherlands | dns-nl.service.paloaltonetworks.com |
| Council Bluffs, Iowa, USA | dns-us-ia.service.paloaltonetworks.com |
| Ashburn, Northern Virginia, USA | dns-us-va.service.paloaltonetworks.com |
| The Dalles, Oregon, USA | dns-us-or.service.paloaltonetworks.com |
| Montreal, Quebec, Canada | dns-ca.service.paloaltonetworks.com |
| Osasco, São Paulo, Brazil | dns-br.service.paloaltonetworks.com |
| Los Angeles, California, USA | dns-us-ca.service.paloaltonetworks.com |
| Hong Kong | dns-hk.service.paloaltonetworks.com |
| Mumbai, India | dns-in.service.paloaltonetworks.com |
| Tel Aviv, Israel | dns-il.service.paloaltonetworks.com |
| Seoul, South Korea | dns-kr.service.paloaltonetworks.com |
Configure DNS Security Subscription Services
Before you can enable and configure Advanced DNS Security or DNS Security , you must obtain and install a Threat Prevention (or Advanced Threat Prevention ) license as well as an Advanced DNS Security or DNS Security license in addition to any platform licenses from where it is operated. Licenses are activated from the Palo Alto Networks Customer Support Portal and must be active before DNS analysis can take place. Additionally, DNS Security subscription services (similar to other Palo Alto Networks security services) are administered through security profiles, which in turn is dependent on the configuration of network enforcement policies as defined through security policy rules. Before enabling a DNS Security subscription service, it is recommended that you familiarize yourself core components of the security platform in which the security subscriptions are enabled. Refer to your product documentation for more information.
To enable and configure a DNS Security subscription service to function optimally within your network security deployment, refer to the tasks below.
- Enable DNS Security or Advanced DNS Security on my network security platform to prevent DNS threats from entering my network (required)
- Create domain signature exceptions and allow lists to limit false-positives and prevent internal DNS servers from triggering DNS categorization
- Test the configured policy actions for the available domain categories
- Verify my firewall’s connectivity to the DNS Security service
- Limit dropped connections due to my latency by customizing my DNS lookup timeout setting on the firewall
Enable DNS Security
To enable DNS Security , you must create (or modify) an Anti-Spyware security profile to access the DNS Security service , configure the log severity and policy settings for the DNS signature category (or categories), and then attach the profile to a security policy rule.
Strata Cloud Manager
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
- Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention ) license is active. Select Manage > Configuration > NGFW and Prisma Access > Overview and click the license usage terms link in the License panel. You should see green check marks next to the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS Security.
- Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
- Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole .
If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
- Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS Security .
- Create or modify an existing DNS Security profile.
- Name the profile and, optionally, provide a description.
- In the DNS Categories section, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as the packet capture setting.
Palo Alto Networks recommends using the default action setting for all signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. For more information about the best practices for configuring your DNS Security settings, refer to Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
- Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole . Palo Alto Networks recommends setting the action to sinkhole.
- You can fully bypass DNS traffic inspection by configuring a policy action of Allow with a corresponding log severity of None for each DNS signature source.
- In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
- In the DNS Sinkhole Settings section, verify that a valid Sinkhole address is present. For your convenience, the default setting (pan-sinkhole-default-ip) is set to access a Palo Alto Networks sinkhole server. Palo Alto Networks can automatically refresh this address through updates.
Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (72.5.65.111).
If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
Screenshot showing the DNS Security profile configuration in Strata Cloud Manager.
Mermaid Diagram: DNS Sinkhole Process
Illustrates the DNS Sinkhole process, showing how the firewall redirects malicious domain resolution. Highlights the difference in client behavior and logging outcomes between using the default Sinkhole FQDN (CNAME response) and a configured Sinkhole IP (direct A record response), particularly when the client lacks robust CNAME resolution capabilities.
- Click OK to save the DNS Security profile.
- Attach the DNS Security profile to a Security policy rule.
- Test that the policy action is enforced.
- Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
- To monitor the activity:
1. View the activity logs and search for the URL Domain with a sinkholed action to view the log entries for the test domain you accessed.
- Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the DNS Security profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
- For other monitoring options, see Monitor DNS Security Subscription Services
PAN-OS & Panorama
- Log in to the NGFW .
- To take advantage of DNS Security , you must have an active DNS Security and Threat Prevention (or Advanced Threat Prevention ) subscription.
Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select Device > Licenses and verify that the appropriate licenses display and have not expired.
- Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
- Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole .
If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
- Select Objects > Security Profiles > Anti-Spyware .
- Create or modify an existing profile, or select one of the existing default profiles and clone it.
- Name the profile and, optionally, provide a description.
- Select the DNS Policies tab.
- In the Signature Source column, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as a log severity level.
Palo Alto Networks recommends changing your default DNS Policies settings for signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. Follow the best practices for configuring your DNS Security settings as outlined in the Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
- Specify the log severity level that is recorded when the firewall detects a domain matching a DNS signature. For more information about the various log severity levels, refer to Threat Severity Levels.
- Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are default, allow, block, or sinkhole . Verify that the action is set to sinkhole .
- You can fully bypass DNS traffic inspection by configuring a policy action of Allow with a corresponding log severity of None for each DNS signature source.
- In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
- In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN (sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (72.5.65.111).
If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
- (Optional) Block the specified DNS resource record types record types used to exchange keying information during the encryption of the client hello in the subsequent TLS connection. The following DNS RR types are available: SVCB (64), HTTPS (65), and ANY (255).
- While it is not necessary to block ECH in order to enable DNS Security over DoH, Palo Alto Networks currently recommends blocking all DNS record types used by ECH for optimum security.
- Type 64 and type 65 resource record standards are still in flux (in a draft state) and are subject to change. For more information on DNS SVCB and HTTPS RRs, refer to: Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) as defined by the IETF.
Screenshot showing the DNS Policies tab in the Anti-Spyware profile configuration in PAN-OS.
- Click OK to save the Anti-Spyware profile.
- Attach the Anti-Spyware profile to a Security policy rule.
- Select Policies > Security .
- Select or create a Security Policy Rule .
- On the Actions tab, select the Log at Session End check box to enable logging.
- In the Profile Setting section, click the Profile Type drop-down to view all Profiles . From the Anti-Spyware drop-down and select the new or modified profile.
- Click OK to save the policy rule.
- Test that the policy action is enforced.
- Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
- To monitor the activity on the firewall:
1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
2. Select Monitor > Logs > Threat and filter by (action eq sinkhole) to view logs on sinkholed domains.
3. For more monitoring options, see Monitor DNS Security Subscription Services
- Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the Anti-Spyware profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
- Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain
Enable Advanced DNS Security
Advanced DNS Security supplements your existing DNS Security configuration to provide additional protection against DNS hijacking by inspecting changes to DNS responses. You should have fully configured DNS Security settings before proceeding with this step.
To enable Advanced DNS Security , you must create (or modify) an Anti-Spyware security profile to access the Advanced DNS Security service , configure the log severity and policy settings for the DNS signature category (or categories), and then attach the profile to a security policy rule.
PAN-OS 11.2 and later
Palo Alto Networks recommends enabling your DNS Security functionality prior to setting up Advanced DNS Security.
- Log in to the NGFW .
- Update the content release version to 8832 or later.
- To prevent access to known and unknown malicious domains using Advanced DNS Security , you must have an active Advanced DNS Security license . This should only be installed after upgrading to PAN-OS 11.2.
Advanced DNS Security supports a licensing model that subsumes DNS Security functionality into the Advanced DNS Security license when installed on a previously unlicensed firewall. If you upgrade from a firewall with an existing DNS Security license , entries indicating the presence of separate DNS Security and Advanced DNS Security licenses are displayed. In this instance, the DNS Security license is a passive entry and all DNS Security and Advanced DNS Security functionality is conferred through the Advanced DNS License , including the relevant expiration date. Firewalls without a previously installed DNS Security license show an Advanced DNS Security license , however, it provides both DNS Security and Advanced DNS Security functionality.
Consequently, if you downgrade from a PAN-OS release operating an Advanced DNS Security license to a release that does not support Advanced DNS Security , the firewall continues to display and confer DNS Security functionality through the Advanced DNS Security license , however, it is limited to base DNS Security features.
To verify subscriptions for which you have currently-active licenses, select Device > Licenses and verify that the appropriate licenses are available and have not expired.
Screenshot showing active licenses in PAN-OS.
- Update or create a new Anti-Spyware Security profile to enable real-time Advanced DNS Security queries. Typically, this is your existing Anti-Spyware security profile used for the DNS Security configuration.
Screenshot showing the DNS Policies tab with Advanced DNS Security categories in the Anti-Spyware profile in PAN-OS.
- Select an existing Anti-Spyware security profile or Add a new one ( Objects > Security Profiles > Anti-Spyware ).
- Select your Anti-Spyware security profile and then go to DNS Policies .
- For each Advanced DNS Security domain category, specify a Log Severity and Policy Action to take when a domain type is detected using a corresponding analysis engine. There are currently two analysis engines available: DNS Misconfiguration Domains and Hijacking Domains .
Policy Action Options:
- allow —The DNS query is allowed.
You can configure the firewall to generate an alert when the applicable domain type is detected by setting the action to allow and the log severity to informational.
- block —The DNS query is blocked.
- sinkhole —Forges a DNS response for a DNS query targeting a detected malicious domain. This directs the resolution of the malicious domain name to a specific IP address (referred to as the Sinkhole IP), which is embedded as the response. The default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
Log Severity Options:
- none —The event does not have an associated log severity level.
- low —Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage.
- informational —Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.
- medium —Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
- high —Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
- critical —Serious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims and the target does not need to be manipulated into performing any special functions.
- Click OK to exit the Anti-Spyware Security Profile configuration dialog and Commit your changes.
- Optional Specify any public-facing parent domains within your organization that you want Advanced DNS Security to analyze and monitor for the presence of misconfigured domains . Misconfigured domains are inadvertently created by domain owners who point alias records to third party domains using CNAME, MX, NS record types, using entries that are no longer valid, allowing an attacker to take over the domain by registering the expired or unused domains.
TLDs (top-level domains) and root level domains cannot be added to the DNS Zone Misconfigurations list.
Screenshot showing the DNS Zone Misconfigurations section in the Anti-Spyware profile in PAN-OS.
- Select an Anti-Spyware security profile ( Objects > Security Profiles > Anti-Spyware ) and go to DNS Policies .
- In the DNS Zone Misconfigurations section, add public-facing parent domains with an optional description to assist you in identifying domain usage or ownership within your organization.
Entries must have a "." contained in the domain using the following format (e.g. paloaltonetworks.com), otherwise it gets parsed as a hostname, which is considered a private domain.
- Click OK to exit the Anti-Spyware Security Profile configuration dialog and Commit your changes.
- Optional Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced DNS Security .
- Optional [If you do not have the latest device certificate] Install an updated firewall device certificate used to authenticate to the Advanced Threat Prevention inline cloud analysis service. Repeat for all firewalls enabled for inline cloud analysis.
If you have already installed an updated firewall device certificate as part of your IoT Security, Device Telemetry, Advanced Threat Prevention, or Advanced URL Filtering onboarding process, this step is not necessary.
- Required when the firewall is deployed with an explicit proxy server Configure the proxy server used to access the servers that facilitate requests generated by all configured inline cloud analysis features. A single proxy server can be specified and applies to all Palo Alto Networks update services, including all configured inline cloud and logging services.
- PAN-OS 11.2.3 and later Configure the proxy server through PAN-OS.
1. Select Device > Setup > Services and edit the Services details.
2. Specify the Proxy Server settings and Enable proxy for Inline Cloud Services . You can provide either an IP address or FQDN in the Server field.
The proxy server password must contain a minimum of six characters.
Screenshot showing Proxy Server configuration for Inline Cloud Services in PAN-OS.
3. Click OK .
- Optional Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
- Optional Monitor activity on the firewall for DNS queries that have been detected using Advanced DNS Security . DNS Security Categories analyzed using Advanced DNS Security real-time analysis of the DNS response packet have the prefix ‘adns’ followed by the category. For example, adns-dnsmisconfig, whereby ‘dnsmisconfig’ indicates the supported DNS category type. If the DNS domain category was determined by analyzing the DNS request packet, the specified category is displayed with the prefix ‘dns’ followed by the category. For example, ‘dns-grayware.’
- Access the Advanced DNS Security test domains to verify that the policy action for a given threat type is being enforced.
- Select Monitor > Logs > Threat . You can filter the logs based on the specific type of Advanced DNS Security domain category, for example ( category-of-threatid eq adns-hijacking ) , whereby the variable adns-hijacking indicates DNS queries that have been categorized as a malicious DNS hijacking attempt by Advanced DNS Security . The following Advanced DNS Security threat categories available in the logs:
Advanced DNS Security Categories
- DNS Hijacking —adns-hijacking
DNS Hijacking domains have a threat ID of (UTID: 109,004,100).
- DNS Misconfiguration —adns-dnsmisconfig
DNS Misconfiguration domains have three threats IDs, which correspond to three variants of DNS misconfiguration domains types: dnsmisconfig_zone (UTID: 109,004,200), dnsmisconfig_zone_dangling (UTID: 109,004,201), and dnsmisconfig_claimable_nx (UTID: 109,004,202). You can constrain the search by cross-referencing a Threat-ID value that corresponds to a specific DNS misconfiguration domain type. For example, ( category-of-threatid eq adns-dnsmisconfig ) and (threatid eq 109004200) , whereby 109004200 indicates the Threat ID of a DNS misconfiguration domain that does not route traffic to an active domain due to a DNS server configuration issue.
DNS Categories analyzed using Advanced DNS Security enhanced response analysis.
You must operate a firewall running PAN-OS 11.2 and later to take advantage of enhanced Advanced DNS Security real-time analysis.
- DNS —adns-benign
- Malware Domains —adns-malware
- Command and Control Domains —adns-c2
- Phishing Domains —adns-phishing
- Dynamic DNS Hosted Domains —adns-ddns
- Newly Registered Domains —adns-new-domain
- Grayware Domains —adns-grayware
- Parked Domains —adns-parked
- Proxy Avoidance and Anonymizers —adns-proxy
- Ad Tracking Domains —adns-adtracking
If the DNS query does not complete within the specified timeout period for Advanced DNS Security, the DNS Security categorization will be used, when possible. In those instances, the legacy notation for the category is used, for example, instead of adns-malware, it will be categorized as dns-malware, indicating that the DNS Security categorization value was used.
- Select a log entry to view the details of the DNS query.
- The DNS Category is displayed under the Details pane of the detailed log view. In addition, you can see other aspects of the threat, including the Threat ID, which includes the origin domain, the specific threat category, and other associated characteristics, as well as the associated Q type, and R data using the following format: hijacking:<FQDN>:<QTYPE>:<RDATA>, whereby <QTYPE> represents the DNS resource record type and <RDATA> represents the hijacked IP Address.
Screenshot showing Threat Log details for an Advanced DNS Security event in PAN-OS.
- Optional Retrieve a list of misconfigured domains and hijacked domains detected by the Advanced DNS Security service . The misconfigured domains are based on the public-facing parent domain entries added to DNS Zone Misconfigurations .
Misconfigured domain entries that are removed from your network are not immediately reflected in the Advanced DNS Security dashboard statistics.
- Use the credentials associated with your Palo Alto Networks support account and log in to Strata Cloud Manager on the hub.
- Select Dashboards > More Dashboards > DNS Security to open the DNS Security dashboard .
- From the DNS Security dashboard , refer to the following widgets:
- Misconfigured Domains —View a list of non-resolvable domains associated with the user-specified public-facing parent domain(s). For each entry, there is a misconfiguration reason and a traffic hit count based on the source IP.
Screenshot showing the Misconfigured Domains widget in the DNS Security Dashboard (Strata Cloud Manager).
- Hijacked Domains —View a list of hijacked domains as determined by Advanced DNS Security . For each entry, there is a categorization reason and a traffic hit count based on the source IP.
Screenshot showing the Hijacked Domains widget in the DNS Security Dashboard (Strata Cloud Manager).
Configure DNS Security Over TLS
You can get visibility and control into DNS Security over TLS requests by decrypting the DNS payload contained within the encrypted DNS request. The decrypted DNS payload can then be processed using the security profile configuration containing your DNS policy settings. DNS requests that have been determined to have originated from TLS sources have a source port of 853 in the threat logs.
Strata Cloud Manager
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager application on the hub.
- Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same DNS Policies settings for DNS Security over TLS traffic.
- Create a decryption policy rule with an action to decrypt HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in the logs appear as conventional dns-base applications.
- Optional Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security .
- Select Activity > Log Viewer and select Threat logs. Use the query builder to filter based on the application using dns-base and port 853 (which is exclusively used for DNS Security over TLS transactions), for example, app = 'dns-base' AND source_port = 853 .
- Select a log entry to view the details of the detected DNS threat.
- The Application should display dns-base in the General pane and the Port in the Source pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding tabs.
PAN-OS & Panorama
- Log in to the NGFW .
- Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same DNS Policies settings for DNS Security over TLS traffic.
- Create a decryption policy rule (similar to the example below) with an action to decrypt HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in the logs appear as conventional dns-base applications.
Example Decryption Policy Rule in PAN-OS to decrypt traffic on port 853.
- Optional Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security .
- Select Monitor > Logs > Traffic and filter based on the application using dns-base and port 853 (which is exclusively used for DNS Security over TLS transactions), for example, ( app eq dns-base ) and ( port.src eq 853 ) .
- Select a log entry to view the details of a detected DNS threat.
- The Application should display dns-base in the General pane and the Port in the Source pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
Configure DNS Security Over DoH
You can analyze and categorize the DNS payload contained within encrypted DNS traffic requests to DNS hosts using HTTPS ( DoH—[DNS-over-HTTPS] ). If your organization currently blocks all DoH requests as Palo Alto Networks recommends, you can transition away from that policy as DNS Security now enables you extract the DNS hostname from the encrypted request and apply your organization’s existing DNS Security policies. This allows you to safely access more websites as support for DoH widens. DNS Security support for DoH is enabled by configuring the firewall to decrypt the payload of DNS requests originating from a user-specified list of DNS resolvers, providing support for a range of server options. The decrypted DNS payload can then be processed using the Anti-spyware profile configuration containing your DNS policy configuration. DNS requests that have been determined to be DoH are labeled as dns-over-https in the traffic logs.
Palo Alto Networks DNS Security processes and categorizes DNS-over-HTTPS (DoH) traffic
Step-by-step interaction for processing DNS-over-HTTPS (DoH)
Strata Cloud Manager
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
- Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic to/from (you will need the DNS server URL(s)).
- Create a Decryption Policy Rule that references the custom URL category list that you created in the previous step.
- Update or create a new anti-spyware security profile used to inspect DoH requests.
- Create or update a security policy rule and reference a DNS Security profile and a custom URL category list ( Manage > Configuration > PAN-OS and Prisma Access > Security Services > URL Access Management ) containing the approved list of DoH servers.
- Create a block policy to decrypt HTTPS traffic and block all remaining unsanctioned DoH traffic that is not explicitly allowed by the custom URL category list (referenced in step 5) by using the App-ID : dns-over-https and the following URL category: encrypted-dns .
If you already have an existing block policy to block DoH traffic, verify that the rule is placed below the previous security policy rule used to match with specific DoH resolvers listed in a custom URL category list object.
- (Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have been processed using DNS Security .
- Select Activity > Logs > Log Viewer and select Threat .
- Submit a log query based on the application, using dns-over-https , for example, app = 'dns-over-https' .
- Select a log entry to view the details of a detected DNS threat that uses DoH .
- The threat Application is displayed in the General pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
PAN-OS 11.0 and later
- Log in to the PAN-OS web interface.
- Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic to/from (you will need the DNS server URL(s)).
- Create a Decryption Policy Rule that references the custom URL category list that you created in the previous step.
- Update or create a new anti-spyware security profile used to inspect DoH requests.
- Create or update a security policy rule and reference an anti-spyware profile and a custom URL category list ( Objects > Custom Objects > URL Category ) containing the approved list of DoH servers.
- Create a block policy to decrypt HTTPS traffic and block all remaining unsanctioned DoH traffic that is not explicitly allowed by the custom URL category list (referenced in step 5) by using the App-ID : dns-over-https and the following URL category: encrypted-dns .
If you already have an existing block policy to block DoH traffic, verify that the rule is placed below the previous security policy rule used to match with specific DoH resolvers listed in a custom URL category list object.
- (Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have been processed using DNS Security .
- Select Monitor > Logs > Traffic and filter based on the application using dns-over-https , for example, ( app eq dns-over-https ) .
- Select a log entry to view the details of a detected DNS threat.
- The Application should display dns-over-https in the General pane of the detailed log view, indicating that this is DoH traffic that has been processed using DNS Security . Other relevant details about the threat are displayed in their corresponding windows.
Screenshot showing Traffic Log details for DNS-over-HTTPS traffic processed by DNS Security in PAN-OS.
Create Domain Exceptions and Allow | Block Lists
DNS Security creates threat signatures for domains that have been analyzed by the DNS Security service . For these known domains, the signatures are referenced when a DNS query is received. In some cases, it might be possible that the signature has incorrectly categorized a domain as a threat, due to certain features or qualities present in the domain. In such circumstances, you can add signature exceptions to bypass these false-positives. If there are known safe domains that are categorized as malicious, such as internal domains, you can add a list of domains that will bypass any DNS analysis. If your organization uses third party threat feeds as part of a comprehensive threat intelligence solution, you can also reference those in the form of external dynamic lists (EDLs) in your DNS Security profile.
Strata Cloud Manager
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
- Add domain overrides in cases where false-positives occur.
- Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS Security and select a DNS Security profile to modify.
- Add Override or Delete to modify the domain list entries as necessary. Each additional entry requires the domain and a description.
Screenshot showing how to add domain overrides in the DNS Security profile (Strata Cloud Manager).
- Click OK to save your modified DNS Security profile .
- Reference an external dynamic list (EDL) as part of your DNS Security profile to import third party threat feeds.
- Create an domain-based external dynamic list (EDL) ( Manage > Configuration > NGFW and Prisma Access > Objects > External Dynamic Lists ). For more information about EDLs , see External Dynamic List.
- Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS Security .
- In the External Dynamic Lists panel, select a domain list EDL and provide the Policy Action and Packet Capture settings. In Apply to Profiles , select the DNS Security profile for which you want the EDL domain list to apply to.
- Save your changes when you have finished making your updates.
PAN-OS & Panorama
- PAN-OS 10.0 and later
- PAN-OS 9.1
- Log in to the NGFW .
- Add domain signature exceptions in cases where false-positives occur.
- Select Objects > Security Profiles > Anti-Spyware .
- Select a profile to modify.
- Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions .
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select the checkbox for each Threat ID of the DNS signature that you want to exclude from enforcement.
Screenshot showing how to exclude DNS signatures using the DNS Exceptions tab in PAN-OS.
- Click OK to save your new or modified Anti-Spyware profile .
- Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
- Select Objects > Security Profiles > Anti-Spyware .
- Select a profile to modify.
- Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions .
- To Add a new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
Screenshot showing how to add domains to the Allow List using the DNS Exceptions tab in PAN-OS.
- Click OK to save your new or modified Anti-Spyware profile .
Test Connectivity to the DNS Security Cloud Services
DNS Security
Verify your firewall connectivity to the DNS Security service . If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com .
- Access the firewall CLI .
- Use the following CLI command to verify your firewall’s connection availability to the DNS Security service .
show dns-proxy dns-signature info
For example:
show dns-proxy dns-signture info
Cloud URL: dns.service.paloaltonetworks.com:443
Telemetry URL: io.dns.service.paloaltonetworks.com:443
Last Result: None
Last Server Address:
Parameter Exchange: Interval 300 sec
Allow List Refresh: Interval 43200 sec
Request Waiting Transmission: 0
Request Pending Response: 0
Cache Size: 0
If your firewall has an active connection to the DNS Security service , the server details display in the response output.
- Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
Use the following CLI command on the firewall to review the details about a domain:
test dns-proxy dns-signature fqdn <fqdn>
For example:
test dns-proxy dns-signature fqdn www.yahoo.com
DNS Signature Query [ www.yahoo.com ]
Completed in 178 ms
DNS Signature Response
Entries: 2
Domain Category GTID TTL
-------------------------------------------------------------------------------------------------
*.yahoo.com Benign 0 86400
www.yahoo.com Benign 0 3600
Advanced DNS Security
Verify your firewall connectivity to the Advanced DNS Security service . If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com . If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.
- Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
Use the following CLI command on the firewall to view the connection status.
show ctd-agent status security-client
For example:
show ctd-agent status security-client
...
Security Client ADNS(1)
Current cloud server: qa.adv-dns.service.paloaltonetworks.com:443
Cloud connection: connected
Config:
Number of gRPC connections: 2, Number of workers: 8
Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
Maximum number of workers: 12
Maximum number of sessions a worker should process before reconnect: 10240
Maximum number of messages per worker: 0
Skip cert verify: false
Grpc Connection Status:
State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html"
Pool state: Ready (2)
last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596
last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768
last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446
Security Client AdnsTelemetry(2)
Current cloud server: io-qa.adv-dns.service.paloaltonetworks.com:443
Cloud connection: connected
Config:
Number of gRPC connections: 2, Number of workers: 8
Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
Maximum number of workers: 12
Maximum number of sessions a worker should process before reconnect: 10240
Maximum number of messages per worker: 0
Skip cert verify: false
Grpc Connection Status:
State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
Pool state: Ready (2)
last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772
last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421
last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289
...
Verify that the cloud connection status for Security Client AdnsTelemetry(2) and Security Client ADNS(1) are showing active connections.
CLI output shortened for brevity.
If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com .
Configure Lookup Timeout
DNS Security
If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through. You can check the average latency to verify that requests fall within the configured period. If the average latency exceeds the configured period, consider updating the setting to a value that is higher than the average latency to prevent requests from timing out.
- In the CLI , issue the following command to view the average latency.
- show dns-proxy dns-signature counters
The default timeout is 100 milliseconds.
- Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.
- Signature query API:
- .
- .
- .
- [latency ]:
- max 1870 (ms) min 16(ms) avg 27(ms)
- 50 or less : 47246
- 100 or less : 113
- 200 or less : 25
- 400 or less : 15
else : 21
- If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. Select Device > Content-ID and update the Realtime Signature Lookup setting.
- Commit the changes.
Advanced DNS Security
- View the record of round trip times (in milliseconds) for Advanced DNS Security requests using the following debug CLI command. These are distributed into latency brackets from 0ms to 450ms. You can use this to determine the ideal max latency setting for your NGFW .
admin@PA-VM debug dataplane show ctd feature-forward stats
In the response output, navigate to the section PAN_CTDF_DETECT_SERVICE_ADNS.
PAN_CTDF_DETECT_SERVICE_ADNS
cli_timeout: 1
req_total: 2
req_timed_out: 0
Hold:
adns rtt>=0ms: 0
adns rtt>=50ms: 2
adns rtt>=100ms: 0
adns rtt>=150ms: 0
adns rtt>=200ms: 0
adns rtt>=250ms: 0
adns rtt>=300ms: 0
adns rtt>=350ms: 0
adns rtt>=400ms: 0
adns rtt>=450ms: 0
- Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced DNS Security . DNS signatures (and their associated policies) that are delivered through regular content updates or are part of configured EDLs (external dynamic lists) or DNS exceptions are still applied.
Screenshot showing the Advanced DNS Security timeout setting in PAN-OS.
- Select Device > Setup > Content-ID > Advanced DNS Security .
- Specify an updated maximum Advanced DNS signature lookup timeout setting in milliseconds. The default is 100ms and is the recommended setting.
- Click OK to confirm your changes.
Alternatively, you can use the following CLI command to configure the Advanced DNS Security timeout value. You can set a value of 100-15,000ms in 100ms increments. The default value is 100ms and is the recommended setting.
admin@PA-VM#set deviceconfig setting adns-setting max-latency <timeout_value_in_milliseconds>
For example:
admin@PA-VM# set deviceconfig setting adns-setting max-latency 500
You can check the current timeout configuration using the following CLI command (refer to the max-latency entry of the output).
admin@PA-VM show config pushed-template
...
}
deviceconfig {
setting {
dns {
dns-cloud-server dns-qa.service.paloaltonetworks.com;
}
adns-setting {
max-latency 100;
}
}
}
...
Bypass DNS Security Subscriptions Services
DNS Security queries can be bypassed in cases where latency issues or other network issues are present.
In cases where false-positives occur, Palo Alto Networks recommends creating specific exceptions instead of bypassing DNS Security queries.
Cloud Management
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
- Go to Manage > Configuration > NGFW and Prisma Access > Security Services > DNS Security and select the relevant DNS Security profile .
- Configure the DNS Security signature policy settings to bypass DNS Security queries. For each DNS category, set the Action to allow and Packet Capture to disabled . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
Screenshot showing DNS Security categories set to 'allow' action for bypassing inspection in Strata Cloud Manager.
- In the Overrides section, verify that there are no entries present; if necessary, delete all Domain/FQDN overrides.
Screenshot showing the Overrides section with no entries in Strata Cloud Manager.
- Click OK to save the DNS Security profile .
Networks DNS Security to an action of allow.
PAN-OS & Panorama
- Log in to the NGFW .
- Configure the DNS Security signature policy settings to bypass DNS Security queries.
- Select Objects > Security Profiles > Anti-Spyware .
- Select the profile containing your active DNS Security policy settings.
- Select the DNS Policies tab.
- For each DNS category, set the log severity to none , the policy action to allow , and packet capture to disable . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
Screenshot showing Anti-Spyware profile DNS Policies set to 'allow' action for bypassing inspection in PAN-OS.
- Select DNS Exceptions and remove all DNS Domain/FQDN Allow List entries.
Screenshot showing DNS Exceptions tab with no Allow List entries in PAN-OS.
- Click OK to save the Anti-Spyware profile .
Monitor DNS Security Subscription Services
Palo Alto Networks provides several options to monitor DNS Security and Advanced DNS Security activity to accommodate intelligence retrieval for a range of products that rely on DNS Security subscription services and the associated traffic data. Depending on the product platform, you can access high-level dashboards that provide DNS request statistics and usage trends, including context into network activity, to specific DNS request details from specific users in the form of logging data.
You can also view how the DNS Security subscription services integrate with other Palo Alto Networks applications and security services to protect your organization from threats, as well as get a high-level view of the overall operational health of your deployment, through the Strata Cloud Manager Command Center . The command center functions as your NetSec homepage and provides a comprehensive summary of the health, security, and efficiency of your network, in an interactive visual dashboard with multiple data facets for easy, at-a-glace assessment.
For more specific details about DNS Security subscription service operations, the dashboard provides a view into your networks DNS query data as well as the ability to drill down into various DNS trends. Each dashboard card provides a unique view into how DNS requests and responses are processed and categorized in a graphical report format. This allows you to see, at a glance, a high-level view of your organization’s DNS usage statistics. It also provides a list of misconfigured domains and hijacked domains detected by the Advanced DNS Security service , enabling you to correct and rectify any DNS configuration errors. The misconfigured domains are based on the public-facing parent domain entries added to DNS Zone Misconfigurations list.
You can also view the logs that are automatically generated when DNS requests are processed. These event files are time-stamped and provide an audit trail when configured to do, based on the DNS category log configuration. DNS log entries can contain various details about the event, including the threat level and, if applicable, the nature of threat.
Palo Alto Networks provides several methods to monitor the DNS Security activity based on your platform.
- The Strata Cloud Manager Command Center
- View DNS Security Dashboard
- View DNS Security logs for the DNS queries that passed through my network
View DNS Security Dashboard
The DNS Security dashboard shows the statistics data generated by the Advanced DNS Security and DNS Security subscription services in a fast, visual assessment report of your organization’s DNS usage. View and drill down into various DNS trends discovered in your network. Each dashboard card provides a unique view into how DNS requests are processed and categorized. Select dashboard cards to change the context of the dashboard or view more information about a specific trend, domain, or statistic.
The DNS Security dashboard is available on Prisma Access and AIOps for NGFW . You can interact with the DNS Security Dashboard Cards to alter the context of the dashboard or view more information about a specific trend, domain, or statistic. You can also customize the formatting to display current trends or historical data, across relevant data points.
Strata Cloud Manager
- Use the credentials associated with your Palo Alto Networks support account and log in to Strata Cloud Manager on the hub.
- Select Dashboards > More Dashboards > DNS Security to open the DNS Security dashboard .
- From the dashboard, configure your filter options using the available drop downs.
- Filter by time range—Select from Last hour , Last 24 hours , Last 7 days , or Last 30 days to display data for a specific time-frame.
- Filter by DNS category—Select from Select All , Malware Command and Control , Phishing , Grayware , Exceptions List , Newly Registered , Dynamic DNS , Proxy , Parked , Benign , Ad Track to filter the data set based on a DNS type.
The Exceptions List category is a list maintained by Palo Alto Networks of explicitly allowable domains based on metrics from PAN-DB and Alexa. These allow list domains are frequently accessed and known to be free from malicious content.
- Filter by DNS action—Select from Allow , Block , and Sinkhole to filter based on the action taken on a DNS query based on your DNS Security profile action settings.
- Optionally, you can also Download, Share, and Schedule Activity Reports.
- You can re-contextualize, interact, and pivot from the data provided by the dashboard cards. For an overview of each of the DNS Security dashboard cards, see DNS Security Dashboard cards.
AIOps for NGFW Free
- Use the credentials associated with your Palo Alto Networks support account and log in to the AIOps for NGFW Free application on the hub.
- Select Dashboards > More Dashboards > DNS Security to open the DNS Security dashboard .
- From the dashboard, configure your filter options using the available drop downs.
Screenshot showing filter options in the DNS Security Dashboard (AIOps for NGFW Free).
- Filter by time range—Select from Last hour , Last 24 hours , Last 7 days , or Last 30 days to display data for a specific time-frame.
- Filter by DNS category—Select from C2 (DGA, Tunneling, other C2 ), Malware , Newly Registered Domain , Phishing , Dynamic DNS , Allow List , Benign , Grayware , Parked , Proxy , and Any Category , to filter the data set based on a DNS type.
The Allow List category is a list maintained by Palo Alto Networks of explicitly allowable domains based on metrics from PAN-DB and Alexa. These allow list domains are frequently accessed and known to be free from malicious content.
- Filter by DNS action—Select from Allow , Block , and Sinkhole to filter based on the action taken on a DNS query based on your DNS Security profile action settings.
- Optionally, you can also Download, Share, and Schedule Activity Reports.
- You can re-contextualize, interact, and pivot from the data provided by the dashboard cards. For an overview of each of the DNS Security dashboard cards, see DNS Security Dashboard cards.
DNS Security Dashboard Cards
The cards populating the DNS Security dashboard are interactive and allows you to view additional details or pivot to a list of specific requests, events, and domains, as it pertains to how the content is shown.
The following list provides an overview of the DNS Security dashboard cards:
| Card Name | Description |
|---|---|
| DNS Requests |
Displays the total number of DNS requests that have been processed by
DNS Security
.
Screenshot showing the DNS Requests card.
|
| Malicious DNS Requests |
Displays a stacked bar graph showing DNS requests that have been categorized based on the currently available types that are considered malicious. The total number is shown in the upper-left while a breakdown of categorical variables are indicated below.
Screenshot showing the Malicious DNS Requests card.
|
| Subscription |
Displays the number of devices in your network with an active
DNS Security
subscription. A percentage of devices that are not equipped with
DNS Security
or with an elapsed subscription is also shown with a link to a complete list.
Screenshot showing the Subscription status card.
|
| High-Risk DNS Category Trend |
Displays a trend chart showing a breakdown of the DNS requests based on the DNS category or the action applied to the DNS request over the observable time range.
Screenshot showing the High-Risk DNS Category Trend card.
|
| DNS Category Distribution Across Actions |
Displays a flow diagram that provides a visualization of the distributions of actions taken for high-risk DNS categories. A secondary table shows the actions taken for lower-priority DNS categories.
Screenshot showing the DNS Category Distribution Across Actions flow diagram.
|
| Domains |
Displays the number of domains seen in your network, within your industry, other industries, as well as the total number, based on the selected DNS category. Allows you to compare your organization’s DNS usage to other organizations within the industry as well as against globally collected data, including a list of domain requests found exclusively in your network.
Screenshot showing the Domains card.
|
| Top 10 Domains |
Provides a list of the top 10 most commonly requested domains from your network along with the DNS category and the action taken. You can view more details and the relevant logs for a domain by clicking the appropriate icon. Select
View All DNS Requests
for a complete list of domains that have been accessed.
Screenshot showing the Top 10 Domains card.
|
| DNS Resolvers |
Provides two lists showing the most resolved malicious domains and the least resolved domains in your network.
Screenshot showing the DNS Resolvers card.
|
| Misconfigured Domains (Advanced DNS Security) |
Provides a list of non-resolvable domains associated with the user specified public-facing parent domain(s). For each entry, there is a misconfiguration reason and a traffic hit count based on the source IP.
Screenshot showing the Misconfigured Domains widget in the DNS Security Dashboard (Strata Cloud Manager). |
| Hijacked Domains (Advanced DNS Security) |
Provides a list of hijacked domains as determined by
Advanced DNS Security
. For each entry, there is a categorization reason and a traffic hit count based on the source IP.
Screenshot showing the Hijacked Domains widget in the DNS Security Dashboard (Strata Cloud Manager). |
View DNS Security Logs
You can browse, search, and view DNS Security logs that are automatically generated when DNS Security encounters a qualifying event. Typically, this includes any domain category that DNS Security analyzes unless it is specifically configured with a log severity level of none. Log entries provide numerous details about the event, including the threat level and, if applicable, the nature of threat.
DNS Security logs are accessible directly on the firewall or through Strata Logging Service -based log viewers (AIOps for NGFW Free, Cloud Management, Strata Logging Service, etc). While the firewall allows you to access malicious threat log entries that are generated when users make DNS queries, benign DNS requests are not recorded. DNS Security data is also forwarded to Strata Logging Service through log forwarding (as threat logs) and DNS Security telemetry (as DNS Security logs ), which are then referenced by various activity log viewer applications. DNS Security telemetry operates with minimal overhead, which limits the amount of data sent to Strata Logging Service ; as a result, only a subset of DNS queries are forwarded to Strata Logging Service as DNS Security log entries, regardless of the severity level, threat type, or category. The threat logs for malicious DNS requests that are forwarded to Strata Logging Service using log forwarding are available in their entirety. As a result, Palo Alto Networks recommends viewing logs for malicious DNS requests as threat logs instead of DNS Security logs.
PAN-OS & Panorama
- Log in to the PAN-OS web interface.
- Search for activity on the firewall for queries that have been processed using DNS Security .
- Select Monitor > Logs > Threat and filter based on the DNS category.
Consider the following examples:
- ( category-of-threatid eq dns-c2 ) to view logs that have been determined to be a C2 domain by DNS Security .
- ( category-of-threatid eq adns-hijacking ) , whereby the variable adns-hijacking indicates DNS queries that have been categorized as a malicious DNS hijacking attempt by Advanced DNS Security .
To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc).
Screenshot showing filtering Threat Logs by DNS Category in PAN-OS.
- Select a log entry to view the details of a detected DNS threat.
- The threat Category is displayed in the Details pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
Screenshot showing details of a Threat Log entry in PAN-OS.
- For stockpiled domains and DNS tunneling domains, including tunneling-based APTs (advanced persistent threats), you can view the various tools used in the attack, as well as the attack campaigns associated with the domain. This is reflected in the Threat ID/Name field for the log entry for a given domain. The Threat ID/Name for DNS domains with attributions use the following format; in this example, for DNS tunnel domains: Tunneling:<tool_name>,<tool_name>,<tool_name>,...:<domain_name>, whereby the tool_name refers to the DNS tunneling tools used to embed data into the DNS queries and responses, but also the cyber threat campaign name, in a comma-separated list. These campaigns can be industry accepted incidents and use the same naming conventions or might be one identified and named by Palo Alto Networks and described in the Unit 42 Threat Research blogs . A blog of such a campaign, in this case, one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling for Tracking and Scanning. Alternatively, you can also view the attribution information from the Palo Alto Networks ThreatVault and the URL Filtering Test A Site .
The associated tool and campaign attributions might take some time after the initial detection has completed to become viewable in the logs as well as the Palo Alto Networks ThreatVault and Test-A-Site. When the attribution component finishes and has been verified, the complete DNS tunneling tools and campaign details display as expected in the Threat ID/Name and campaign fields.
Consider the following examples:
- DNS Tunneling Domain APT Attribution
- PAN-OS
Screenshot showing Threat Log details with DNS Tunneling attribution in PAN-OS.
- ThreatVault
Screenshot of ThreatVault showing DNS Tunneling attribution.
- URL Filtering Test-A-Site
Screenshot of URL Filtering Test-A-Site showing DNS Tunneling attribution.
- Stockpiled Domain APT Attribution
- PAN-OS
Screenshot showing Threat Log details with Stockpiled Domain attribution in PAN-OS.
- ThreatVault
Screenshot of ThreatVault showing Stockpiled Domain attribution.
- URL Filtering Test-A-Site
Screenshot of URL Filtering Test-A-Site showing Stockpiled Domain attribution.
AIOps for NGFW Free
- Use the credentials associated with your Palo Alto Networks support account and log in to the AIOps for NGFW Free application on the hub.
- Select Log Viewer and select Threat logs.
- Submit a log query based on the DNS category using the query builder (e.g., threat_category = 'dns-c2' ).
Strata Logging Service
- Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Logging Service on the hub.
- Select Log Forwarding and select Threat logs or DNS Security logs.
- Submit a log query based on the DNS category using the query builder (e.g., threat_category = 'dns-malware' ).
Quiz: DNS Security Subscription Services
Test your knowledge on Palo Alto Networks DNS Security subscriptions!