DNS Security Data Collection and Logging
Focus
Focus
DNS Security

DNS Security Data Collection and Logging

Table of Contents

DNS Security Data Collection and Logging

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series Firewall
  • DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
The DNS Security service collects server response and request information based on your security policy rules, associated action, and the DNS query details when performing domain lookups to generate DNS Security logs for
Cortex Data Lake
-based activity applications (
AIOps for NGFW Free
,
Prisma Access
,
Cortex Data Lake
, etc). Additionally, the network security platform forwards supplemental DNS data to the DNS Security cloud servers and is used by Palo Alto Networks services to provide more accurate domain information (such as provider ASN, hosting information, and geolocation identification). While this supplemental data is not necessary to operate the DNS Security service, it provides the resources to generate improved analytics, DNS detection, and prevention capabilities. This action occurs in less than 30 seconds after data collection occurs. To minimize firewall performance impact, DNS Security telemetry operates with minimal overhead, which can limit the total amount of DNS telemetry data sent to
Cortex Data Lake
; consequently only a subset of DNS queries are forwarded to
Cortex Data Lake
as DNS Security log entries. As a result, Palo Alto Networks recommends viewing logs for malicious DNS requests as threat logs instead of DNS Security logs.
Malicious DNS queries are also recorded as threat logs and are submitted to Cortex Data Lake using PAN-OS log forwarding (when appropriately configured).
DNS Security can submit the following data fields:
Field
Description
Action
Displays the policy action taken on the DNS query.
Type
Displays the DNS record type.
Response
The IP address that the domain in the DNS query got resolved to.
Response Code
The DNS response code that was received as an answer to your DNS query.
Source IP
The IP address of the system that made the DNS request.
Source User
When the firewall User-ID feature is enabled, the identity of the DNS requester is shown.
Source Zone
The configured source zone referenced in your security policy rule.
DNS expanded data collection is bypassed for domains added to the Allow list in DNS Exceptions.
Data fields that can be used to potentially identify users (Source IP, Source User, and Source Zone) can be withheld from automatic submission using the following CLI command:
set deviceconfig setting ctd cloud-dns-privacy-mask yes
. You must
commit
the changes for the update to take effect.

Recommended For You