DNS Security Signature Categories

DNS Security Categories allows you to create precise security actions based on the threat posture of a domain type.
The DNS Security Service provides individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This enables you to create discrete, precise security actions based on the threat posture of a domain type according to your network security protocols. The DNS signature source definitions are extensible through PAN-OS content releases so, when new DNS Security analyzers are introduced, you are able to create specific policies based on the nature of the threat.
Upon upgrade to PAN-OS 10.0 and later, the DNS Security source gets redefined into new categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined action and acquire default settings. Make sure to reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories. For details about the automatic configuration changes, refer to Upgrade/Downgrade Considerations.
  1. Select
    Objects
    Security Profiles
    Anti-Spyware
    and select a profile to modify.
  2. Select
    DNS Policies
    to modify the signature source configuration.
  3. In the
    Signature Source
    table, scroll to
    DNS Security
    and select a log severity, policy action, and packet capture setting for each signature source type.
    The following signature types available for configuration:
    • Command and Control Domains
    • Malware Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Dynamic DNS Hosted Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Newly Registered Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Phishing Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Grayware Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Parked Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Proxy Avoidance and Anonymizers
    • The Dynamic DNS Hosted Domains, Newly Registered Domains, and Phishing Domains, Grayware Domains, Parked Domains, and the Proxy Avoidance and Anonymizers signature sources were introduced in PAN-OS 10.0. Access to some of these signature sources may require the download and installation of a content release. For more information, refer to DNS Security Analytics.
  4. Click
    OK
    to save the Anti-Spyware profile and
    Commit
    your changes.
See Enable DNS Security for information about testing policy actions, monitoring DNS activity, and creating DNS signature exceptions.

Recommended For You