Enable DNS Security

Configure your firewall to enable DNS sinkholing using the DNS Security service.
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, configure the log severity and policy settings for each DNS signature category, and then attach the profile to a security policy rule.
  1. Configure DNS signature policy settings to send malware DNS queries to the defined sinkhole.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name
      the profile and, optionally, provide a description.
    4. Select the
      DNS Policies
      tab.
    5. In the
      Signature Source
      column, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as a log severity level.
      • Specify the log severity level that is recorded when the firewall detects a domain matching a DNS signature. For more information about the various log severity levels, refer to Threat Severity Levels.
      • Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
      • In the
        Packet Capture
        drop-down, select
        single-packet
        to capture the first packet of the session or
        extended-capture
        to set between 1-50 packets. You can then use the packet captures for further analysis.
    6. In the
      DNS Sinkhole Settings
      section, verify that
      Sinkhole
      is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
      If you want to modify the
      Sinkhole IPv4
      or
      Sinkhole IPv6
      address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    7. Click
      OK
      to save the Anti-Spyware profile.
    DNS-cloud-sigs-source.png
  2. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select
      Policies
      Security
      .
    2. Select or create a
      Security Policy Rule
      .
    3. On the
      Actions
      tab, select the
      Log at Session End
      check box to enable logging.
    4. In the Profile Setting section, click the
      Profile Type
      drop-down to view all
      Profiles
      . From the
      Anti-Spyware
      drop-down and select the new or modified profile.
    5. Click
      OK
      to save the policy rule.
  3. Test that the policy action is enforced.
    1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
    2. To monitor the activity on the firewall:
      1. Select
        ACC
        and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
      2. Select
        Monitor
        Logs
        Threat
        and filter by
        (action eq sinkhole)
        to view logs on sinkholed domains.
  4. (Optional) Add domain signature exceptions in cases where false-positives occur.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select a profile to modify.
    3. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Exceptions
      .
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the checkbox for each
      Threat ID
      of the DNS signature that you want to exclude from enforcement.
    6. Click
      OK
      to save your new or modified Anti-Spyware profile.
      DNS-exceptions.png
  5. (Optional) Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select a profile to modify.
    3. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Exceptions
      .
    4. To
      Add
      a new
      FQDN Allow List
      , provide the DNS domain or FQDN location and a description.
    5. Click
      OK
      to save your new or modified Anti-Spyware profile.
  6. (Optional) Verify your firewall’s connectivity to the DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
    Use the following CLI command on the firewall to verify your firewall’s connection availability to the DNS Security service.
    show dns-proxy dns-signature info
    <fqdn>
    For example:
    show dns-proxy dns-signture info Cloud URL: dns.service.paloaltonetworks.com:443 Telemetry URL: io.dns.service.paloaltonetworks.com:443 Last Result: None Last Server Address: Parameter Exchange: Interval 300 sec Whitelist Refresh: Interval 43200 sec Request Waiting Transmission: 0 Request Pending Response: 0 Cache Size: 0
  7. (Optional) Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
    Use the following CLI command on the firewall to review the details about the list.
    test dns-proxy dns-signature fqdn
    For example:
    test dns-proxy dns-signature fqdn www.yahoo.com DNS Signature Query [ www.yahoo.com ] Completed in 178 ms DNS Signature Response Entries: 2 Domain Category GTID TTL ------------------------------------------------------------------------------------------------- *.yahoo.com Benign 0 86400 www.yahoo.com Benign 0 3600
  8. (Optional) Configure the DNS signature lookup timeout setting. If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through. You can check the average latency to verify that the requests fall within the configured period. If the average latency exceeds the configured period, consider updating the setting to a value that is higher than the average latency to prevent requests from timing out.
    1. In the CLI, issue the following command to view the average latency.
      show dns-proxy dns-signature counters
      The default timeout is 100 milliseconds.
    2. Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.
      Signature query API: . . . [latency ] : max 1870 (ms) min 16(ms) avg 27(ms) 50 or less : 47246 100 or less : 113 200 or less : 25 400 or less : 15 else : 21
    3. If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. Select
      Device > Content-ID
      and update the
      Realtime Signature Lookup
      setting.
    4. Commit the changes.
To view the sinkholed DNS queries, view the threat logs (
Monitor > Logs
, then select the log type from the list):
dga-threat-log.png

Recommended For You