Passive DNS Monitoring
Passive DNS monitoring enables the firewall to act as a passive DNS sensor and send DNS information to Palo Alto Networks for analysis to improve threat intelligence and threat prevention capabilities. The data collected includes non-recursive DNS query (that is, the web browser sends a query to a DNS server to translate a domain to an IP address, and the server returns a response without querying other DNS servers) and response packet payloads. See DNS Overview for more background information about DNS.
The threat intelligence that the firewall collects from passive DNS monitoring consists solely of domain-to-IP address mappings. Palo Alto Networks retains no record of the source of this data and does not have the ability to associate it with the submitter at a future date. The Palo Alto Networks threat research team uses passive DNS information to gain insight into malware propagation and evasion techniques that abuse the DNS system. Information gathered through this data collection is used to improve PAN-DB URL category and DNS-based C2 signature accuracy and WildFire malware detection.
The firewall forwards DNS responses only when the following requirements are met:
- DNS response bit is set
- DNS truncated bit is not set
- DNS recursive bit is not set
- DNS response code is 0 or 3 (NX)
- DNS question count bigger than 0
- DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX)
- DNS query record type are A, NS, CNAME, AAAA, MX
Share Threat Intelligence with Palo Alto Networks
Share Threat Intelligence with Palo Alto Networks Telemetry is the process of collecting and transmitting data for analysis. When you enable telemetry on the firewall, ...
DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...
AutoFocus Intelligence Summary
AutoFocus Intelligence Summary You can view a graphical overview of threat intelligence that AutoFocus compiles to help you assess the pervasiveness and risk of the ...
Device > Setup > Telemetry
Device > Setup > Telemetry Telemetry is the process of collecting and transmitting data for analysis. When you enable telemetry on the firewall, the firewall ...
Best Practices for Completing the Firewall Deployment
Best Practices for Completing the Firewall Deployment Now that you have integrated the firewall into your network and enabled the basic security features, you can ...
What Telemetry Data Does the Firewall Collect?
What Telemetry Data Does the Firewall Collect? The firewall collects and forwards different sets of telemetry data to Palo Alto Networks based on the Telemetry ...
AutoFocus Intelligence Summary
AutoFocus Intelligence Summary The AutoFocus Intelligence Summary offers a centralized view of information about an artifact that AutoFocus has extracted from threat intelligence gathered from ...
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...