Threat actors leverage specific DNS queries to bypass security filters or conduct network reconnaissance. For example, SVCB (Type 64) and HTTPS (Type 65) records can facilitate encrypted connections that evade traditional inspection, while ANY (Type 255) queries allow attackers to retrieve all known record types to map your internal network. Without the ability to distinguish and control these specific record types, your organization remains vulnerable to sophisticated evasion techniques and information gathering.

Palo Alto Networks now provides the option in Strata Cloud Manager to block ECH (Encrypted Client Hello), which is a draft state proposal to encrypt the entire ‘client hello’ message. This includes SVCB (Type 64), HTTPS (Type 65), and ANY (Type 255) DNS record types. While enabling ECH offers some data privacy, such as ALPN and SNI, it can also prevent certain firewall services that use the client hello from operating as intended. To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.