Configure DNS Security
Focus
Focus
Cloud NGFW for Azure

Configure DNS Security

Table of Contents

Configure DNS Security

Enable DNS Security on Cloud NGFW for Azure to proactively detect and defend against DNS-based threats using predictive analysis and machine learning.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for Azure
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Portal account
  • Azure Marketplace subscription
Domain Name Service (DNS) is a critical and foundational protocol of the internet, as described in the core RFCs for the protocol. Malicious actors have utilized command and control (C2) communication channels over the DNS and, in some cases, have even used the protocol to exfiltrate data. DNS exfiltration can happen when a bad actor compromises an application instance in your VPC and then uses DNS lookup to send data out of the VPC to a domain that they control. Malicious actors can also infiltrate malicious data and payloads to the VPC workloads over DNS. Palo Alto Networks Unit 42 research has described different types of DNS abuse discovered.
Cloud NGFW for Azure allows you to protect your VPC traffic from advanced DNS-based threats, by monitoring and controlling the domains that your VPC resources query. With Cloud NGFW for Azure. You can deny access to the domains that Palo Alto Networks considers bad or suspicious and allow all other queries.
Cloud NGFW uses the Palo Alto Networks DNS Security service which proactively detects malicious domains by generating DNS signatures using advanced predictive analysis and machine learning, with data from multiple sources (such as WildFire traffic analysis, passive DNS, active web crawling & malicious web content analysis, URL sandbox analysis, Honeynet, DGA reverse engineering, telemetry data, whois, the Unit 42 research organization, and Cyber Threat Alliance). DNS security service then continuously distributes these DNS signatures to your Cloud NGFW resources to proactively defend against malware using DNS for command and control (C2) and data theft.
DNS Security for Cloud NGFW requires Panorama. Configure all DNS Security-related policy rules on Panorama and push them to Cloud NGFW resources as part of a Cloud Device Group.
To inspect DNS traffic, you must enable DNS Proxy on your Cloud NGFW using the Azure portal.
  1. Log in to the Azure portal.
  2. Click the Cloud NGFW icon under Azure Services.
  3. Select your Cloud NGFW instance.
  4. Enable DNS Proxy.
    1. Select SettingsDNS Proxy.
    2. Select the Enabled radio button.
    3. Use the default DNS server or select Custom and specify a DNS server previously configured in your virtual network.
    4. Click Save.
  5. Navigate to the local rulestack associated with your Cloud NGFW instance.
  6. Select Security Services.
  7. Enable DNS Security.
    Enabling DNS Security requires that you enable antispyware. Additionally, both DNS Security and antispyware must be set to best practices.