Enable Advanced DNS Security (Strata Cloud Manager)

1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
2. Verify that a DNS Security and a Threat Prevention license is active. Select ManageConfigurationNGFW and Prisma AccessOverview and click the license usage terms link in the License panel. You should see green check marks next to the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS Security.
3. Update or create a new DNS Security profile to enable real-time Advanced DNS Security queries. Typically, this is your existing DNS Security profile used for the DNS Security configuration.

   1. Select an existing DNS Security profile or Add a new one (ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security).
   2. Select your DNS Security profile and then go to DNS Categories.
   3. For each Advanced DNS Security domain category, specify a policy Action to take when a corresponding domain type is detected. There are currently two analysis engines available: DNS Misconfiguration Domains and Hijacking Domains.
      Policy Action Options:
      • allow—The DNS query is allowed.
        You can configure Strata Cloud Manager to generate an alert when the applicable domain type is detected by setting the action to allow and the log severity to informational.
      • block—The DNS query is blocked.
      • sinkhole—Forges a DNS response for a DNS query targeting a detected malicious domain. This directs the resolution of the malicious domain name to a specific IP address (referred to as the Sinkhole IP), which is embedded as the response. The default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
4. (Optional) Specify any public-facing parent domains within your organization that you want Advanced DNS Security to analyze and monitor for the presence of misconfigured domains. Misconfigured domains are inadvertently created by domain owners who point alias records to third party domains using CNAME, MX, NS record types, using entries that are no longer valid, allowing an attacker to take over the domain by registering the expired or unused domains.

   TLDs (top-level domains) and root level domains cannot be added to the DNS Zone Misconfigurations list.

   1. Select a DNS Security profile (ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security) that contains an Advanced DNS Security configuration.
   2. In the DNS Zone Misconfigurations section, add public-facing parent domains with an optional description to assist you in identifying domain usage or ownership within your organization.
      Entries must have a "." contained in the domain using the following format (e.g. paloaltonetworks.com), otherwise it gets parsed as a hostname, which is considered a private domain.
   3. Click OK to exit and save the DNS Security security profile.
5. (Optional) Monitor activity on Strata Cloud Manager for DNS queries that have been detected using Advanced DNS Security. DNS Security Categories analyzed using Advanced DNS Security real-time analysis of the DNS response packet have the prefix ‘adns’ followed by the category. For example, adns-dnsmisconfig, whereby ‘dnsmisconfig’ indicates the supported DNS category type. If the DNS domain category was determined by analyzing the DNS request packet, the specified category is displayed with the prefix ‘dns’ followed by the category. For example, ‘dns-grayware.’

   1. Access the Advanced DNS Security test domains to verify that the policy action for a given threat type is being enforced.
   2. Select Incidents & AlertsLog Viewer. You can filter the threat logs based on the specific type of Advanced DNS Security domain category, for example threat_category.value = 'adns-hijacking', whereby the variable adns-hijacking indicates DNS queries that have been categorized as a malicious DNS hijacking attempt by Advanced DNS Security. The following Advanced DNS Security threat categories available in the logs:

      Advanced DNS Security Categories

      • DNS Hijacking—adns-hijacking
        DNS Hijacking domains have a threat ID of (UTID: 109,004,100).
      • DNS Misconfiguration—adns-dnsmisconfig
        DNS Misconfiguration domains have three threats IDs, which correspond to three variants of DNS misconfiguration domains types: dnsmisconfig_zone (UTID: 109,004,200), dnsmisconfig_zone_dangling (UTID: 109,004,201), and dnsmisconfig_claimable_nx (UTID: 109,004,202). You can constrain the search by cross-referencing a Threat-ID value that corresponds to a specific DNS misconfiguration domain type. For example, threat_category.value = 'adns-dnsmisconfig' and Threat ID = 109004200, whereby 109004200 indicates the Threat ID of a DNS misconfiguration domain that does not route traffic to an active domain due to a DNS server configuration issue.

      DNS Categories analyzed using Advanced DNS Security enhanced response analysis.

      • DNS —adns-benign
      • Malware Domains —adns-malware
      • Command and Control Domains—adns-c2
      • Phishing Domains—adns-phishing
      • Dynamic DNS Hosted Domains—adns-ddns
      • Newly Registered Domains—adns-new-domain
      • Grayware Domains—adns-grayware
      • Parked Domains—adns-parked
      • Proxy Avoidance and Anonymizers—adns-proxy
      • Ad Tracking Domains—adns-adtracking

      If the DNS query does not complete within the specified timeout period for Advanced DNS Security, the DNS Security categorization will be used, when possible. In those instances, the legacy notation for the category is used, for example, instead of adns-malware, it will be categorized as dns-malware, indicating that the DNS Security categorization value was used.
   3. Select a log entry to view the details of the DNS query.
   4. The DNS Category is displayed under the General pane of the detailed log view. In addition, you can see other aspects if the threat, including the origin URL, the specific threat type, and associated characteristics.
6. (Optional) Retrieve a list of misconfigured domains and hijacked domains detected by the Advanced DNS Security service. The misconfigured domains are based on the public-facing parent domain entries added to DNS Zone Misconfigurations.

   Misconfigured domain entries that are removed from your network are not immediately reflected in the Advanced DNS Security dashboard statistics.

   1. Use the credentials associated with your Palo Alto Networks support account and log in to Strata Cloud Manager on the hub.
   2. Select DashboardsMore DashboardsDNS Security to open the DNS Security dashboard.
   3. From the DNS Security dashboard, refer to the following widgets:

      • Misconfigured Domains—View a list of non-resolvable domains associated with the user-specified public-facing parent domain(s). For each entry, there is a misconfiguration reason and a traffic hit count based on the source IP.
      • Hijacked Domains—View a list of hijacked domains as determined by Advanced DNS Security. For each entry, there is a categorization reason and a traffic hit count based on the source IP.