Enable DNS Security on Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Enable DNS Security on Cloud NGFW for Azure
Enable DNS Security on Cloud NGFW for Azure to proactively detect and defend against
DNS-based threats using predictive analysis and machine learning.
Domain Name Service (DNS) is a critical and foundational internet protocol,
as described in the core RFCs for the protocol. Malicious actors have utilized Command & Control (C2)
communication channels over the DNS and, in some cases, have even used the protocol
to exfiltrate data. DNS exfiltration can happen when a bad actor compromises an
application instance in your network and then uses DNS lookup to send data out of
the network to a domain they control. Malicious actors can also infiltrate malicious
data/payloads to the network workloads over DNS. Over the years, Palo Alto Networks
Unit 42 research has described different types of DNS abuse discovered.
Cloud NGFW for Azure allows you to protect your vNet and vWAN traffic from
advanced DNS-based threats by monitoring and controlling the domains that your
network resources query. With Cloud NGFW for Azure, you can deny access to the
domains that Palo Alto Networks considers bad or suspicious and allow all other
queries to pass through.
For this purpose, Cloud NGFW leverages the Palo Alto Networks’ Domain Name System
(DNS) Security service, which proactively detects malicious domains by generating DNS
signatures using advanced predictive analysis and machine learning, with data from
multiple sources (such as WildFire traffic analysis, passive DNS, active web
crawling & malicious web content analysis, URL sandbox analysis, Honeynet, DGA
reverse engineering, telemetry data, whois, the Unit 42 research organization, and
Cyber Threat Alliance). DNS security service then distributes these DNS signatures
to your Cloud NGFW resources to
proactively defend against malware using DNS for command-and-control (C2)
and data theft.
With DNS security enabled, the Cloud NGFW takes the following actions for
each DNS security category.
Category | Log Severity | Action |
---|---|---|
Ad Tracking Domains | Informational | Allow |
Command and Control (C2) Domains | High | Block |
Dynamic DNS (DDNS) Domains | Informational | Allow |
Grayware Domains | Low | Block |
Malware Domains | Medium | Block |
Newly Registered Domains | Informational | Allow |
Parked Domains | Informational | Allow |
Phishing Domains | Low | Block |
Proxy Avoidance and Anonymizers | Low | Block |
To inspect DNS traffic, you must enable DNS Proxy on your Cloud NGFW for Azure.
- Log in to the Azure portal.Click the Cloud NGFWs icon under Azure Services.Select your Cloud NGFW instance.Enable DNS Proxy.
- Select SettingsDNS Proxy.Select the Enabled radio button.Use the default DNS server or select Custom and specify a DNS server previously configured in your virtual network.Click Save.Navigate to the local rulestack associated with your Cloud NGFW instance.Select Security Services.Enable DNS Security.Enabling DNS Security requires that Anti-Spyware be enabled as well. Additionally, both DNS Security and Anti-Spyware must be set to Best Practices.