DNS Security Signature Categories

DNS Security Categories allows you to create precise security actions based on the threat posture of a domain type.
The DNS Security Service provides individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This enables you to create discrete, precise security actions based on the threat posture of a domain type according to your network security protocols. The DNS signature source definitions are extensible through PAN-OS content releases so, when new DNS Security analyzers are introduced, you are able to create specific policies based on the nature of the threat.
Upon upgrade to PAN-OS 10.0 and later, the DNS Security source gets redefined into new categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined action and acquire default settings. Make sure to reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories. For details about the automatic configuration changes, refer to Upgrade/Downgrade Considerations.
  1. Select
    Objects
    Security Profiles
    Anti-Spyware
    and select a profile to modify.
  2. Select
    DNS Policies
    to modify the signature source configuration.
  3. In the
    Signature Source
    table, scroll to
    DNS Security
    and select a log severity, policy action, and packet capture setting for each signature source type.
    dns-security-categories.png
    There are five signature types available for configuration:
    • Command and Control Domains
    • Malware Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Dynamic DNS Hosted Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Recently Registered Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Phishing Domains
    • The Dynamic DNS Hosted Domains, Recently Registered Domains, and Phishing Domains signature sources are introduced in PAN-OS 10.0.
    • The
      Benign Domains
      signature source category is non-operational and will be phased out in an upcoming release.
  4. Click
    OK
    to save the Anti-Spyware profile and
    Commit
    your changes.
See Enable DNS Security for information about testing policy actions, monitoring DNS activity, and creating DNS signature exceptions.

Recommended For You