Palo Alto DNS Security

Domain Name System (DNS) is one of the main target of attackers. DNS is a protocol use to resolve domain name to IP address. In this article, we will see how we can configure Palo Alto to mitigate a risk of DNS hacking. Palo Alto use three mechanism such as Machine Learning, Domain Protection and Empowered Security to mitigate the risk of DNS hacking. It provide security for each threat type to secure network from Layer 4 and Layer 7 attacks.

Click here for How to Secure Network Firewall from Cyber Attacks

Palo Alto helps in mitigate following DNS threats:

Dynamic DNS Hosted Domains - It maps between hostnames and IP addresses in real-time if static IPs are not available. This scenario may be exploited by attackers by using the method of infiltrating networks and distribute malicious payloads to victims.
Newly Registered Domains -
Newly registered domains may use by hackers for campaigning and distribute malicious adware and spam softwares.
Grayware Domains - Grayware domains facilitate attackers to perform illegal activities such as plant adware, granting remote access of victim etc.
Phishing Domains - Phishing domains are helpful for attackers to get sensitive information by luring them.
Parked Domains - Parked domains are non-useful websites that have very little data which is not useful for users. These domains may be used by attackers to generate revenue or distribute malware by attacking DNS.
Malware Domains - Malware Domains are distributing viruses, executables to victims
Command and Control Domains - DNS Tunnel Detection and DGA Detection

Palo Alto have two options: DNS sinkholing and DNS monitoring. If these two options are configured, it will secure DNS from bad people.

(1) Configuration of DNS sinkholing

DNS Security (Threat Prevention and DNS Security subscription license required) is a service offered by Palo Alto to secure DNS from bad people. You need to follow below steps to configure:

Step 1: Create an Anti-Spyware policy

Go to Objects > Security Profiles > Anti-Spyware, set the DNS Signature Source List as Palo Alto Networks Content DNS Signatures.

Step 2: Configure log severity

Select critical, high, medium severity for signature source such as Palo Alto Network Contents and DNS Security Threats as discussed above in this article.

Step 3: Policy settings for each and every DNS signature category

Make sure you purchased license to enable this option. Use 'Palo Alto Networks Cloud DNS Security' --> its Action on DNS Queries --> 'sinkhole'.

Check 'Sinkhole IPv4' is correctly configured. It should be '' or internal host (host IP or FQDN) is set.

Step 4: Attach the profile to a security policy rule

Go to Policies --> Security Policies

Select each and every outbound security Policy, under 'Actions', select 'Anti-Spyware' either explicitly or as a 'Group Profile'

(2) Configuration of passive DNS monitoring

This option helps in monitoring DNS within all anti-spyware profiles. Use below navigation to enable this configuration.

Go to Device -> Setup -> Telemetry

Check for Passive DNS Monitoring is enabled.

Click here for Top 5 Commands DNS to Test DNS Zone Transfer in 2-minutes


Palo Alto provide option of DNS security only if it is properly configured. To use DNS security, we need to verify and activate subscriptions, enable DNS security as guide above and use the DNS security dashboard.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.