Security Profile: DNS Security
Focus
Focus
Network Security

Security Profile: DNS Security

Table of Contents

Security Profile: DNS Security

DNS Security is a continuously evolving threat prevention service designed to protect and defend your network from advanced threats using DNS.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Managed)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using.
Enable DNS Security to access the full database of Palo Alto Networks signatures, including those generated using advanced machine learning and predictive analytics.
DNS Security is a continuously evolving threat prevention cloud service that is designed to protect and defend your network from advanced DNS-based threats. By applying advanced machine learning and predictive analytics to a diverse range of threat intelligence sources, DNS Security rapidly generates enhanced DNS signatures to defend against known malicious DNS categories, as well as real-time analysis of DNS requests to defend your network against newly generated and unknown malicious domains. DNS Security can detect various C2 threats, including DNS tunneling, DNS rebinding attacks, domains created using auto-generation, malware hosts, and many more. DNS Security requires and works with your Advanced Threat Prevention or Threat Prevention subscription for complete DNS threat coverage. Combined with an extensible cloud architecture, DNS Security provides access to a scalable threat intelligence system to keep your network protections up to date.
Before you can enable and configure DNS Security, you must obtain and install a Threat Prevention (or Advanced Threat Prevention) license as well as a DNS Security license in addition to any platform licenses from where it is operated. Licenses are activated from the Palo Alto Networks Customer Support Portal and must be active before DNS analysis can take place. Additionally, DNS Security (similar to other Palo Alto Networks security services) is administered through security profiles, which in turn is dependent on the configuration of network enforcement policies as defined through security rules. Before enabling DNS Security, it is recommended that you familiarize yourself core components of the security platform in which the security subscriptions are enabled. Refer to your product documentation for more information.
To enable DNS Security, you must create (or modify) an Anti-Spyware security profile to access the DNS Security service, configure the log severity and policy settings for the DNS signature category (or categories), and then attach the profile to a security policy rule.

Security Profile: DNS Security (Strata Cloud Manager)

Learn how to configure a DNS Security profile in Strata Cloud Manager.
Here's how to configure a DNS Security profile. See Enable DNS Security for detailed steps.
  1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
  2. Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention) license is active. Select ManageConfigurationNGFW and Prisma AccessOverview and click the license usage terms link in the License panel. You should see green check marks next to the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS Security.
  3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
    If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
  4. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.
    If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
  5. Attach the DNS Security profile to a Security policy rule.
    A DNS Security profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a DNS Security profile (and any Security profile).
  6. Test that the policy action is enforced.

Security Profile: DNS Security (PAN-OS & Panorama)

Learn how to configure a DNS Security profile in PAN-OS & Panorama.
Here's how to configure a DNS Security profile. See Enable DNS Security for detailed steps.
  1. To take advantage of DNS Security, you must have an active DNS Security and Threat Prevention (or Advanced Threat Prevention) subscription.
    Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select DeviceLicenses and verify that the appropriate licenses display and have not expired.
  2. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
    If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
  3. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.
    If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
  4. Attach the Anti-Spyware profile to a Security policy rule.
  5. Test that the policy action is enforced.