Threat actors leverage specific DNS queries to bypass security filters or conduct
network reconnaissance. For example, SVCB (Type 64) and HTTPS (Type 65) records can
facilitate encrypted connections that evade traditional inspection, while ANY (Type
255) queries allow attackers to retrieve all known record types to map your internal
network. Without the ability to distinguish and control these specific record types,
your organization remains vulnerable to sophisticated evasion techniques and
information gathering.
Palo Alto Networks now provides the option in Strata Cloud Manager to
block ECH (Encrypted Client Hello), which
is a draft state proposal to encrypt the entire ‘client hello’ message. This
includes SVCB (Type 64), HTTPS (Type 65), and ANY (Type 255) DNS record types. While
enabling ECH offers some data privacy, such as ALPN and SNI, it can also prevent
certain firewall services that use the client hello from operating as intended. To
maintain optimal function of the security services of the firewall, Palo Alto
Networks recommends blocking all ECH-supporting record types.