Configure DNS-Over-TLS
Focus
Focus
DNS Security

Configure DNS-Over-TLS

Table of Contents

Configure DNS-Over-TLS

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series Firewall
  • DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
You can get visibility and control over DNS-over-TLS requests by decrypting the DNS payload contained within the encrypted DNS request. The decrypted DNS payload can then be processed using the security profile configuration containing your DNS policy settings. DNS requests that have been determined to have originated from TLS sources have a source port of 853 in the threat logs.

Cloud Management

  1. Use the credentials associated with your Palo Alto Networks support account and log in to the
    Strata Cloud Manager
    application on the hub.
  2. Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same
    DNS Policies
    settings for DNS-over-TLS traffic.
  3. Create a decryption policy rule with an action to decrypt HTTPS traffic on port 853, which includes DNS-over-TLS traffic (refer to the Decryption Best Practices for more information). When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the logs will appears as the conventional
    dns-base
    application.
  4. (Optional)
    Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security.
    1. Select
      Activity
      Log Viewer
      and select
      Threat
      logs. Use the query builder to filter based on the application using
      dns-base
      and port 853 (which is exclusively used for DNS-over-TLS transactions), for example,
      app = 'dns-base' AND source_port = 853
      .
    2. Select a log entry to view the details of the detected DNS threat.
    3. The
      Application
      should display
      dns-base
      in the
      General
      pane and the
      Port
      in the
      Source
      pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding tabs.

PAN-OS & Panorama

  1. Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same
    DNS Policies
    settings for DNS-over-TLS traffic.
  2. Create a decryption policy rule (similar to the example below) with an action to decrypt HTTPS traffic on port 853, which includes DNS-over-TLS traffic (refer to the Decryption Best Practices for more information). When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the logs will appears as the conventional
    dns-base
    application.
  3. (Optional)
    Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security.
    1. Select
      Monitor
      Logs
      Traffic
      and filter based on the application using
      dns-base
      and port 853 (which is exclusively used for DNS-over-TLS transactions), for example,
      ( app eq dns-base ) and ( port.src eq 853 )
      .
    2. Select a log entry to view the details of a detected DNS threat.
    3. The
      Application
      should display
      dns-base
      in the
      General
      pane and the
      Port
      in the
      Source
      pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.

Recommended For You