1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Threat Prevention
    5. DNS Security
    6. Enable DNS Security

    Enable DNS Security

    Configure your firewall to enable DNS sinkholing using the DNS Security service.
    To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, enable the sinkhole action, and attach the profile to a security policy rule.
    2. Configure DNS signature policy settings to send malware DNS queries to the defined sinkhole.
      1. Select
        Objects
        Security Profiles
        Anti-Spyware
        .
      2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
      3. Name
         the profile and, optionally, provide a description.
      4. Select the
        DNS Signatures
        >
        Policies & Settings
         tab.
      5. If the
        Palo Alto Networks
        DNS Security
         source is not present, click
        Add
         and select it from the list.
      6. Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
      7. (
        Optional
        ) In the
        Packet Capture
         drop-down, select
        single-packet
         to capture the first packet of the session or
        extended-capture
         to set between 1-50 packets. You can then use the packet captures for further analysis.
      8. In the
        DNS Sinkhole Settings
         section, verify that
        Sinkhole
         is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
        If you want to modify the
        Sinkhole IPv4
         or
        Sinkhole IPv6
         address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      9. Click
        OK
         to save the Anti-Spyware profile.
      DNS-cloud-sigs-source.png
    3. Attach the Anti-Spyware profile to a Security policy rule.
      1. Select
        Policies
        Security
        .
      2. Select or create a
        Security Policy Rule
        .
      3. On the
        Actions
         tab, select the
        Log at Session End
         check box to enable logging.
      4. In the Profile Setting section, click the
        Profile Type
         drop-down to view all
        Profiles
        . From the
        Anti-Spyware
         drop-down and select the new or modified profile.
      5. Click
        OK
         to save the policy rule.
    4. Test that the policy action is enforced.
      1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
      2. To monitor the activity on the firewall:
        1. Select
          ACC
           and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
          Monitor
          Logs
          Threat
        2. Select and filter by
          (action eq sinkhole)
           to view logs on sinkholed domains.
    6. (Optional) Add domain signature exceptions in cases where false-positives occur.
      1. Select
        Objects
        Security Profiles
        Anti-Spyware
        .
      2. Select a profile to modify.
      3. Add
         or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
        DNS Signatures > Exceptions
        .
      4. Search for a DNS signature to exclude by entering the name or FQDN.
      5. Select the
        DNS Threat ID
         for the DNS signature that you want to exclude from enforcement.
      6. Click
        OK
         to save your new or modified Anti-Spyware profile.
        DNS-exceptions.png
    7. (Optional) Configure the DNS signature lookup timeout setting. If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through. You can check the average latency to verify that the requests fall within the configured period. If the average latency exceeds the configured period, consider updating the setting to a value that is higher than the average latency to prevent requests from timing out.
      1. In the CLI, issue the following command to view the average latency.
        show dns-proxy dns-signature
counters
        The default timeout is 100 milliseconds.
      2. Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.
        Signature query API:
	 .
		.
		.
	    [latency   ] :
        max    1870 (ms)  min    16(ms)  avg    27(ms)
          50 or less : 47246
          100 or less : 113
          200 or less : 25
          400 or less : 15
                 else : 21
      3. If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. Select
        Device > Content-ID
         and update the
        Realtime Signature Lookup
         setting.
      4. Commit the changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo