Enable Passive DNS Collection for Improved Threat Intelligence

Passive DNS is an opt-in feature that enables the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities. The data collected includes non-recursive (i.e. originating from the local recursive resolver, not individual clients) DNS query and response packet payloads. Data submitted via the Passive DNS Monitoring feature consists solely of mappings of domain names to IP addresses. Palo Alto Networks retains no record of the source of this data and does not have the ability to associate it with the submitter at a future date.
The Palo Alto Networks threat research team uses this information to gain insight into malware propagation and evasion techniques that abuse the DNS system. Information gathered through this data collection is used to improve accuracy and malware detection abilities within PAN-DB URL filtering, DNS-based command-and-control signatures, and WildFire.
DNS responses are only forwarded to the Palo Alto Networks and will only occur when the following requirements are met:
  • DNS response bit is set
  • DNS truncated bit is not set
  • DNS recursive bit is not set
  • DNS response code is 0 or 3 (NX)
  • DNS question count bigger than 0
  • DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX)
  • DNS query record type are A, NS, CNAME, AAAA, MX
Passive DNS monitoring is disabled by default, but it is recommended that you enable it to facilitate enhanced threat intelligence. Use the following procedure to enable Passive DNS:
  1. Select
    Objects
    Security Profiles
    Anti-Spyware
    .
  2. Select an existing profile to modify it or configure a new profile.
    The Anti-Spyware profile must be attached to a security policy that governs your DNS server’s external DNS traffic.
  3. Select the
    DNS Signatures
    tab and click the
    Enable Passive DNS Monitoring
    check box.
  4. Click
    OK
    and then
    Commit
    .

Related Documentation