Palo Alto DNS Security

Domain Name System (DNS) is one of the main targets of attackers. DNS is a protocol used to resolve the domain names to IP addresses. In this article, we will see how we can configure Palo Alto to mitigate the risk of DNS hacking. Palo Alto uses three mechanisms as Machine Learning, Domain Protection, and Empowered Security to mitigate the risk of DNS hacking. It provides security for each threat type to secure the network from Layer 4 and Layer 7 attacks.

Click here for How to Secure Network Firewall from Cyber Attacks

Palo Alto helps in mitigate the following DNS threats:

Dynamic DNS Hosted Domains - It maps between hostnames and IP addresses in real-time if static IPs are not available. This scenario may be exploited by attackers by using the method of infiltrating networks and distributing malicious payloads to victims.
Newly Registered Domains - Newly registered domains may use by hackers for campaigning and distribute malicious adware and spam software.
Grayware Domains - Grayware domains facilitate attackers to perform illegal activities such as plant adware, granting remote access to victims, etc.
Phishing Domains - Phishing domains are helpful for attackers to get sensitive information by luring them.
Parked Domains - Parked domains are non-useful websites that have very little data which is not useful for users. These domains may be used by attackers to generate revenue or distribute malware by attacking DNS.
Malware Domains - Malware Domains distributing viruses, and executables to victims
Command and Control Domains - DNS Tunnel Detection and DGA Detection

Palo Alto has two options: DNS sinkholing and DNS monitoring. If these two options are configured, it will secure DNS from bad people.

(1) Configuration of DNS sinkholing

DNS Security (Threat Prevention and DNS Security subscription license required) is a service offered by Palo Alto to secure DNS from bad people. You need to follow the below steps to configure:

Step 1: Create an Anti-Spyware policy

Go to Objects > Security Profiles > Anti-Spyware, and set the DNS Signature Source List as Palo Alto Networks Content DNS Signatures.

Step 2: Configure log severity

Select critical, high, and medium severity for signature sources such as Palo Alto Network Contents and DNS Security Threats as discussed above in this article.

Step 3: Policy settings for each and every DNS signature category

Make sure you purchased a license to enable this option. Use 'Palo Alto Networks Cloud DNS Security' --> its Action on DNS Queries --> 'sinkhole'.

Check 'Sinkhole IPv4' is correctly configured. It should be 'sinkhole.paloaltnetworks.com' or the internal host (host IP or FQDN) is set.

Step 4: Attach the profile to a security policy rule

Go to Policies --> Security Policies

Select each and every outbound security Policy, under 'Actions', select 'Anti-Spyware' either explicitly or as a 'Group Profile'

(2) Configuration of passive DNS monitoring

This option helps in monitoring DNS within all anti-spyware profiles. Use the below navigation to enable this configuration.

Go to Device -> Setup -> Telemetry

Check for Passive DNS Monitoring is enabled.

Click here for Top 5 Commands DNS to Test DNS Zone Transfer in 2-minutes

Conclusion

Palo Alto provides the option of DNS security only if it is properly configured. To use DNS security, we need to verify and activate subscriptions, enable DNS security as guided above, and use the DNS security dashboard.