Palo Alto Firewall - Unauthorized DNS Queries Palo Alto Firewall - Unauthorized DNS Queries Document History: Date Version Summary of Changes Author Approved By 1.0 Initial Version Team GAVS Team GAVS Table of Contents Table of Contents ..................................................................................................................................................... 2 1. Purpose ............................................................................................................................................................... 3 2. Scope: .................................................................................................................................................................. 3 3. Targeted Audience: ........................................................................................................................................ 3 4. Solution:.............................................................................................................................................................. 3 5. How to verify DNS Sinkhole function is working properly:............................................................. 7 6. Client Using External DNS Server.............................................................................................................. 7 7. Client TCP/IP Properties Configuration .................................................................................................. 8 8. Client Output When Using External DNS Server .............................................................................. 10 9. Client Using Internal DNS Server ........................................................................................................... 10 10. Threat Logs ................................................................................................................................................ 12 11. Traffic Logs................................................................................................................................................. 12 12. Client Output When Using Internal DNS Server .......................................................................... 12 13. Reference Links: ....................................................................................................................................... 13 GAVS Technologies Proprietary & Confidential Page 2 of 13 Palo Alto Firewall - Unauthorized DNS Queries 1. Purpose This document covers the steps to prevent the Unauthorized Out-bound DNS Queries in Perimeter Palo Alto Next Generation Firewalls. 2. Scope: Prevention of Unauthorized Out-bound DNS Queries in Perimeter Palo Alto NGFW 3. Targeted Audience: AgFirst Network Team 4. Solution: DNS sinkhole needs to be enabled in Anti-Spyware profiles in Perimeter Palo Alto Next Generation Firewalls to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain name to resolve to a definable IP address (fake IP, Provided by Palo Alto) that is given to the client. If the client attempts to access the fake IP address and there is a security rule in place that blocks traffic to this IP, the information is recorded in the logs. Sample Flow: We need to keep the below in mind before assigning an IP address to DNS sinkhole configuration: When choosing a "fake IP", make sure that the IP address is a fictitious IP address that does not exist anywhere inside of the network. DNS and HTTP traffic must pass through the Palo Alto Networks firewall for the malicious URL to be detected and for the access to the fake IP to be stopped. If the fake IP is routed to a different location, and not through the firewall, this will not work properly. Steps: 1. Make sure the latest Antivirus updates are installed on the Palo Alto Networks device. From the WebUI, go to Device > Dynamic Updates on the left. Click "Check Now" in the lower left, and make sure that the Anti-Virus updates are current. If they are now, please do that before proceeding. The Automatic Updates can be configured if they are not setup. GAVS Technologies Proprietary & Confidential Page 3 of 13 Palo Alto Firewall - Unauthorized DNS Queries Fig1.1 Note: A paid Threat Prevention subscription for the DNS sinkhole is required to function properly. 2. Configure the DNS Sinkhole Protection inside of an Anti-Spyware profile. Click on the Objects > Anti-Spyware under Security Profiles on the left. Use either an existing profile or create a new profile. In the example below the "alert-all" is being used: Fig1.2: GAVS Technologies Proprietary & Confidential Page 4 of 13 Palo Alto Firewall - Unauthorized DNS Queries Click the name of the profile - alert-all, click on the DNS Signatures tab. Fig1.3: Change the "Action on DNS queries" to 'sinkhole' if it is not already set to sinkhole. Click in the Sinkhole IPv4 field either select the default Palo Alto Networks Sinkhole IP (72.5.65.111) or a different IP of your choosing. If you opt to use your own IP, ensure the IP is GAVS Technologies Proprietary & Confidential Page 5 of 13 Palo Alto Firewall - Unauthorized DNS Queries not used inside your network and preferably not routable over the internet (RFC1918). Click on Sinkhole IPv6 and enter a fake IPv6 IP. Even if IPv6 is not used, something still needs to be entered. The example shows ::1 . Click OK. Note: If nothing is entered for the Sinkhole IPv6 field, OK will remain grayed out. 3. Apply the Anti-Spyware profile on the security policy that allows DNS traffic from the internal network (or internal DNS server) to the internet Click on Policies> Security on the left side. Inside the rules, locate the rule that allows DNS traffic outbound, click on the name, go to the Actions tab, and make sure that the proper AntiSpyware profile is selected. Click OK. Fig1.4: 4. The last thing needed is to have a security rule that will block all web-browsing and SSL access to the fake IP 72.5.65.111 and also :1 if using IPv6. This will ensure to deny traffic to the fake IP from any infected machines. Fig1.5: GAVS Technologies Proprietary & Confidential Page 6 of 13 Palo Alto Firewall - Unauthorized DNS Queries 5. Commit the configuration Fig1.6: 5. How to verify DNS Sinkhole function is working properly: Resolution This is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall. The following 2 scenarios are covered: 6. Client Using External DNS Server Client Using Internal DNS Server Client Using External DNS Server GAVS Technologies Proprietary & Confidential Page 7 of 13 Palo Alto Firewall - Unauthorized DNS Queries Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the Data Center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server. When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. 1. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system. 2. The firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source. 7. Client TCP/IP Properties Configuration GAVS Technologies Proprietary & Confidential Page 8 of 13 Palo Alto Firewall - Unauthorized DNS Queries Review the following config example: Threat Logs When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website: GAVS Technologies Proprietary & Confidential Page 9 of 13 Palo Alto Firewall - Unauthorized DNS Queries 8. Client Output When Using External DNS Server $nslookup Server: Address: 79fe3m5f4nx8c1.pmr.cc 195.130.131.4 195.130.131.4#53 Non-authoritative answer: Name: 79fe3m5f4nx8c1.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus, showing that the DNS Sinkhole is working as desired. 9. Client Using Internal DNS Server If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source. Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs. Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server. The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot GAVS Technologies Proprietary & Confidential Page 10 of 13 Palo Alto Firewall - Unauthorized DNS Queries Client GAVS Technologies TCP/IP Properties Proprietary & Confidential Configuration Page 11 of 13 Palo Alto Firewall - Unauthorized DNS Queries 10. Threat Logs In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website. 11. Traffic Logs However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below: 12. Client Output When Using Internal DNS Server $nslookup Server: Address: 4cdf1kuvlgl5zpb9.pmr.cc 192.168.27.189 192.168.27.189#53 Non-authoritative answer Name: 4cdf1kuvlgl5zpb9.pmr.cc Address: 72.5.65.111 GAVS Technologies Proprietary & Confidential Page 12 of 13 Palo Alto Firewall - Unauthorized DNS Queries The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired. 13. Reference Links: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dnsqueries-to-identify-infected-hosts-on-the-network/dns-sinkholing GAVS Technologies Proprietary & Confidential Page 13 of 13