Enable DNS Security
Configure your firewall to enable DNS sinkholing using the DNS Security service.
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, enable the sinkhole action, and attach the profile to a security policy rule.
- Verify that thepaloalto-dns-securityApp-ID in your security policy is configured to enable traffic from the DNS security cloud security service.If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
- Configure DNS Security signature policy settings to send malware DNS queries to the defined sinkhole.If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, you can configure an EDL with an Alert action.
- Select.ObjectsSecurity ProfilesAnti-Spyware
- Create or modify an existing profile, or select one of the existing default profiles and clone it.
- Namethe profile and, optionally, provide a description.
- Select theDNS Signatures>Policies & Settingstab.
- If thePalo Alto NetworksDNS Securitysource is not present, clickAddand select it from the list.
- Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
- (Optional) In thePacket Capturedrop-down, selectsingle-packetto capture the first packet of the session orextended-captureto set between 1-50 packets. You can then use the packet captures for further analysis.
- In theDNS Sinkhole Settingssection, verify thatSinkholeis enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
- ClickOKto save the Anti-Spyware profile.
- Attach the Anti-Spyware profile to a Security policy rule.
- Select or create aSecurity Policy Rule.
- On theActionstab, select theLog at Session Endcheck box to enable logging.
- In the Profile Setting section, click theProfile Typedrop-down to view allProfiles. From theAnti-Spywaredrop-down and select the new or modified profile.
- ClickOKto save the policy rule.
- Test that the policy action is enforced.
- To monitor the activity on the firewall:
- SelectACCand add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
- Selectand filter byMonitorLogsThreat(action eq sinkhole)to view logs on sinkholed domains.
- (Optional) Add domain signature exceptions in cases where false-positives occur.
- Select.ObjectsSecurity ProfilesAnti-Spyware
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Signatures > Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select theDNS Threat IDfor the DNS signature that you want to exclude from enforcement.
- ClickOKto save your new or modified Anti-Spyware profile.
- (Optional) Configure the DNS signature lookup timeout setting. If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through. You can check the average latency to verify that the requests fall within the configured period. If the average latency exceeds the configured period, consider updating the setting to a value that is higher than the average latency to prevent requests from timing out.
- In the CLI, issue the following command to view the average latency.show dns-proxy dns-signature countersThe default timeout is 100 milliseconds.
- Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.Signature query API: . . . [latency ] : max 1870 (ms) min 16(ms) avg 27(ms) 50 or less : 47246 100 or less : 113 200 or less : 25 400 or less : 15 else : 21
- If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. SelectDevice > Content-IDand update theRealtime Signature Lookupsetting.
- Commit the changes.
Recommended For You
Recommended videos not found.