>
    Strata Copilot
    Cloud NGFW for AWS DNS Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Cloud-Delivered Security Services (CDSS)
    6. Cloud NGFW for AWS DNS Security
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW for AWS DNS Security

    Table of Contents

    Cloud NGFW for AWS DNS Security

    Learn how to secure your VPC traffic from DNS-based threats.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    Domain Name Service (DNS) is a critical and foundational protocol of the internet, as described in the core RFCs for the protocol. Malicious actors have utilized command and control (C2) communication channels over the DNS and, in some cases, have even used the protocol to exfiltrate data. DNS exfiltration can happen when a bad actor compromises an application instance in your VPC and then uses DNS lookup to send data out of the VPC to a domain that they control. Malicious actors can also infiltrate malicious data and payloads to the VPC workloads over DNS. Palo Alto Networks Unit 42 research has described different types of DNS abuse discovered.
    Cloud NGFW for AWS allows you to protect your VPC traffic from advanced DNS-based threats, by monitoring and controlling the domains that your VPC resources query. With Cloud NGFW for AWS. You can deny access to the domains that Palo Alto Networks considers bad or suspicious and allow all other queries.
    Cloud NGFW uses the Palo Alto Networks DNS Security service which proactively detects malicious domains by generating DNS signatures using advanced predictive analysis and machine learning, with data from multiple sources (such as WildFire traffic analysis, passive DNS, active web crawling & malicious web content analysis, URL sandbox analysis, Honeynet, DGA reverse engineering, telemetry data, whois, the Unit 42 research organization, and Cyber Threat Alliance). DNS security service then continuously distributes these DNS signatures to your Cloud NGFW resources to proactively defend against malware using DNS for command and control (C2) and data theft.
    DNS Security for Cloud NGFW requires Panorama or Strata Cloud Manager. Configure all DNS Security-related policy rules on Panorama or SCM and push them to Cloud NGFW resources as part of a Cloud Device Group.
    To enable DNS Security in Cloud NGFW resources:
    1. Configure the DNS Security Policy.
      1. Configure the security policy to enforce DNS security on your Cloud NGFW resource. Follow the steps below that correspond to your management interface (Panorama or Strata Cloud Manager).
        Option A: Configure the DNS Security policy via Panorama
        Enable DNS Security in Panorama by creating an Anti-Spyware profile in Cloud Device Groups associated with your Cloud NGFW Resources.
        Option B: Configure the DNS Security policy via Strata Cloud Manager (SCM)
        1. Log in to the Strata Cloud Manager console.
        2. Select the folder where your Cloud NGFW resource is associated.
      2. Create a DNS Security Profile using one of the following options:
        Option 2A (Recommended) – Use the Best Practice Profile:
        SCM includes a predefined best-practice profile with recommended security settings. If you prefer to use this predefined profile, proceed to the next step 3.
        Option 2B- Create a Custom Profile:
        To create a custom profile with specific settings:
        • Go to Security Services > DNS Security.
        • Click Add Profile, enter a name and configure the DNS Sinkhole settings.
        • Click Save.
      3. Create a Profile Group:
        • Go to Security Services > Profile Groups.
        • Click Add Profile Group and enter a name.
        • In the DNS Security Profile field, select the profile you created in the previous step.
        • Click Save.
      4. Attach the Profile Group to a Security Policy Rule:
        • Go to Policies > Security.
        • Add a new rule or click to edit an existing rule.
        • In the rule configuration, locate the Profile section and select the Profile Group you created.
        • Click Save.
        Push the configuration to your Cloud NGFW resource to apply the changes.
    2. Redirect your DNS traffic in your VPC to your Cloud NGFW resource. How your configure traffic redirection depends on your DNS server setup:

    Private DNS Server

    When using a private or on-premises DNS server, complete the following procedure to direct DNS traffic to your Cloud NGFW endpoints.
    1. Log in to the AWS console.
    2. Select your VPC and then DHCP option sets.
    3. You can create a new DHCP option set and add your DNS server IP address. In this example, 172.18.10.1 is the private DNS server address. If you have an existing DHCP option set with your DNS server configured, view the details and take note of the DNS server IP address.
      This configuration will not work to access private FQDNs and workloads from CNGFW firewalls
    4. Select VPC and choose the VPC to secure.
    5. From the Actions drop-down, select Edit VPC settings.
    6. Under DHCP settings, choose the DHCP option set with your private DNS server configured from the DHCP option set drop-down.
    7. Click Save changes.
      You must ensure that you disable the default AWS Route 53 Resolver (the .2 address). If left enabled, malware can bypass your security controls by querying the AWS resolver directly.
      The selected VPC now directs all DNS queries to the configured DNS server.
    8. Edit your subnet route table.
      1. Select VPCRoute tables.
      2. Select the route table for the subnet you want to secure.
      3. Add a route and set the destination to the IP address of your DNS server.
      4. Click Save changes.

    Route 53 DNS Service

    Complete the following steps to secure DNS traffic in your VPCs when using Amazon’s Route 53 DNS Service. Create a subnet in each availability zone containing workloads to deploy resolver Inbound endpoints.
    1. Log in to the AWS console.
    2. Create an inbound endpoint.
      1. Select ServicesRoute 53ResolverInbound Endpoints.
      2. Click Create inbound endpoint.
      3. Enter a descriptive Name.
      4. Select the VPC for the endpoint.
      5. Attach a security group for this endpoint.
      6. Set the Endpoint Type to IPv4.
      7. Select the availability zone.
      8. Select the subnet you created above.
        If you have more than one availability zone, you must specify the availability zone and subnet for each.
      9. Click Create inbound endpoint.
      10. Note the IP address associated with each subnet attached to your inbound endpoint. Use these IP addresses when configuring your DHCP option sets in the following steps.
    3. Select VPCDHCP option sets.
    4. You can create a new DHCP option set and add the IP address for each availability zone. If you have more than one availability zone, enter each IP address as a comma-separated list.
    5. Select VPC and choose the VPC to secure.
    6. From the Actions drop-down, select Edit VPC settings.
    7. Under DHCP settings, choose the DHCP option set with you created above from the DHCP option set drop-down.
    8. Click Save changes.
      The selected VPC now directs all DNS queries to the configured DNS server.
    9. Edit your subnet route table.
      1. Select VPCRoute Tables.
      2. Select the route table for the subnet you want to secure.
      3. Add a route and set the destination to the IP address of your DNS server and set the target to the Cloud NGFW endpoint.
      4. Click Save changes.
        You must ensure that you disable the default AWS Route 53 Resolver (the .2 address). If left enabled, malware can bypass your security controls by querying the AWS resolver directly.
        Any DNS traffic from the protected subnet is routed through the Cloud NGFW endpoint and on to the Cloud NGFW for inspection and enforcement.

    Private Hosted Zone DNS

    To create a Private Hosted zone in AWS, see Creating a private hosted zone.
    To allow your Cloud NGFW resource to query Route 53 Resolver for any DNS zones (e.g., Private Zones) hosted on Route 53, you create a Route 53 Inbound Endpoint as discussed earlier. The Inbound Endpoint is a bridge for other services to query Route 53 for domain name resolution. When you create an Inbound Endpoint, AWS creates an elastic network interface (ENI) in each availability zone (AZ) that you specify will receive inbound DNS queries.
    1. Open the Amazon VPC console.
    2. Create an inbound endpoint.
      1. Select ServicesRoute 53ResolverInbound Endpoints.
      2. Click Create inbound endpoint.
      3. Enter a descriptive Name.
      4. Select the VPC for the endpoint.
      5. Attach a security group for this endpoint.
      6. Set the Endpoint Type to IPv4.
      7. Select the availability zone.
      8. Select the subnet you created above.
        If you have more than one availability zone, you must specify the availability zone and subnet for each.
      9. Click Create inbound endpoint.
      10. Note the IP address associated with each subnet attached to your inbound endpoint. Use these IP addresses when configuring your DHCP option sets in the following steps.
    3. Select VPCDHCP option sets.
    4. You can create a new DHCP option set and add the IP address for each availability zone. If you have more than one availability zone, enter each IP address as a comma-separated list.
    5. Select VPC and choose the VPC to secure.
    6. From the Actions drop-down, select Edit VPC settings.
    7. Under DHCP settings, choose the DHCP option set with you created above from the DHCP option set drop-down.
    8. Click Save changes.
    9. Edit your subnet route table.
      1. Select VPCRoute Tables.
      2. Select the route table for the subnet you want to secure.
      3. Add a route and set the destination to the IP address of your DNS server and set the target to the Cloud NGFW endpoint.
      4. Click Save changes.
        Any DNS traffic from the protected subnet is routed through the Cloud NGFW endpoint and on to the Cloud NGFW for inspection and enforcement.

    © 2026 Palo Alto Networks, Inc. All rights reserved.