- Use the credentials associated with your Palo Alto Networks support account and log in to the Prisma Access application on the hub.
- Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention) license is active in thepanel.ManageService SetupOverviewLicense
- Verify that thepaloalto-dns-securityApp-ID in your security policy is configured to enable traffic from the DNS security cloud security service.If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
- Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
- Select.ManageConfigurationSecurity ServicesDNS Security
- Create or modify an existing DNS Security profile.
- Namethe profile and, optionally, provide a description.
- In theDNS Categoriessection, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as the packet capture setting.Palo Alto Networks recommends using the default action setting for all signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. For more information about the best practices for configuring your DNS Security settings, refer to Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
- Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Palo Alto Networks recommends setting the action to sinkhole to .
- You can fully bypass DNS traffic inspection by configuring a policy action ofAllowwith a corresponding log severity ofNonefor each DNS signature source.
- In thePacket Capturedrop-down, selectsingle-packetto capture the first packet of the session orextended-captureto set between 1-50 packets. You can then use the packet captures for further analysis.
- In theDNS Sinkhole Settingssection, verify that a validSinkholeaddress is present. For your convenience, the default setting (pan-sinkhole-default-ip) is set to access a Palo Alto Networks sinkhole server. Palo Alto Networks can automatically refresh this address through updates.Sinkholeforges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (184.108.40.206).If you want to modify theSinkhole IPv4orSinkhole IPv6address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
- ClickOKto save the Anti-Spyware profile.
- Attach the DNS Security profile to a Security policy rule.
- Select or create aSecurity Policy Rule.
- On theActionstab, select theLog at Session Endcheck box to enable logging.
- In the Profile Setting section, click theProfile Typedrop-down to view allProfiles. From theAnti-Spywaredrop-down and select the new or modified profile.
- ClickOKto save the policy rule.
- Test that the policy action is enforced.
- Access the following test domains to verify that the policy action for a given threat type is being enforced:
- To monitor the activity:
- View the activity logs and search for the URL Domain with a sinkholed action to view the log entries for the test domain you accessed.
- Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the DNS Security profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventionaldns-baseapplication with a source port of 853.
- For other monitoring options, see Monitor DNS Security
Recommended For You
Recommended videos not found.