Palo Alto Networks now provides protection against DNS relaying attacks, also known as Data Exfiltration via HTTP request headers, by applying machine learning through the Inline Cloud Analysis mechanism of Advanced Threat Prevention. DNS relaying attacks exploit legitimate web services by placing DNS tunneling domains in SNI or HTTP headers like Host and X-Forwarded-For. When vulnerable web services receive these requests, they extract the tunneling domains and send them to attacker-operated DNS resolvers, effectively relaying tunneling traffic to attackers' command and control servers.

Attackers can exploit a vast number of legitimate websites, making traditional domain blocking less effective. By implementing this protection, you can enhance your security posture and prevent covert data exfiltration techniques that might otherwise go undetected.

The DNS relaying detection works by analyzing HTTP, HTTP2, and SSL traffic for suspicious patterns in headers and Server Name Indication (SNI) fields. When enabled, web requests containing hostnames in web headers are analyzed, identifying potential data exfiltration attempts. This capability leverages the existing Advanced Threat Prevention infrastructure to detect and prevent attackers from exploiting legitimate web services for DNS tunneling.

The DNS relaying attack prevention integrates with your existing Advanced Threat Prevention configuration in the anti-spyware security profile, where you can set actions for detected threats and define exclusions. The system generates detailed logs and reports, providing you with comprehensive visibility into detected attacks and enabling effective incident response.