Domain Name Service (DNS) is a critical and foundational protocol of the internet, as described in the core RFCs for the protocol. Malicious actors have utilized command and control (C2) communication channels over the DNS and, in some cases, have even used the protocol to exfiltrate data. DNS exfiltration can happen when a bad actor compromises an application instance in your VPC and then uses DNS lookup to send data out of the VPC to a domain that they control. Malicious actors can also infiltrate malicious data and payloads to the VPC workloads over DNS. Palo Alto Networks Unit 42 research has described different types of DNS abuse discovered.

Cloud NGFW for AWS allows you to protect your VPC traffic from advanced DNS-based threats, by monitoring and controlling the domains that your VPC resources query. With Cloud NGFW for AWS. You can deny access to the domains that Palo Alto Networks considers bad or suspicious and allow all other queries.

Cloud NGFW uses the Palo Alto Networks DNS Security service which proactively detects malicious domains by generating DNS signatures using advanced predictive analysis and machine learning, with data from multiple sources (such as WildFire traffic analysis, passive DNS, active web crawling & malicious web content analysis, URL sandbox analysis, Honeynet, DGA reverse engineering, telemetry data, whois, the Unit 42 research organization, and Cyber Threat Alliance). DNS security service then continuously distributes these DNS signatures to your Cloud NGFW resources to proactively defend against malware using DNS for command and control (C2) and data theft.

DNS Security for Cloud NGFW requires Panorama. Configure all DNS Security-related policy rules on Panorama and push them to Cloud NGFW resources as part of a Cloud Device Group.

To enable DNS Security in Cloud NGFW resources—