Palo Alto Firewall - Unauthorized DNS Queries
Palo Alto Firewall - Unauthorized DNS Queries
Document History:
Date
Version
Summary of Changes
Author
Approved By
1.0
Initial Version
Team GAVS
Team GAVS
Table of Contents
Table of Contents ..................................................................................................................................................... 2
1.
Purpose ............................................................................................................................................................... 3
2.
Scope: .................................................................................................................................................................. 3
3.
Targeted Audience: ........................................................................................................................................ 3
4.
Solution:.............................................................................................................................................................. 3
5.
How to verify DNS Sinkhole function is working properly:............................................................. 7
6.
Client Using External DNS Server.............................................................................................................. 7
7.
Client TCP/IP Properties Configuration .................................................................................................. 8
8.
Client Output When Using External DNS Server .............................................................................. 10
9.
Client Using Internal DNS Server ........................................................................................................... 10
10.
Threat Logs ................................................................................................................................................ 12
11.
Traffic Logs................................................................................................................................................. 12
12.
Client Output When Using Internal DNS Server .......................................................................... 12
13.
Reference Links: ....................................................................................................................................... 13
GAVS Technologies
Proprietary & Confidential
Page 2 of 13
Palo Alto Firewall - Unauthorized DNS Queries
1. Purpose
This document covers the steps to prevent the Unauthorized Out-bound DNS Queries in
Perimeter Palo Alto Next Generation Firewalls.
2. Scope:
Prevention of Unauthorized Out-bound DNS Queries in Perimeter Palo Alto NGFW
3. Targeted Audience:
AgFirst Network Team
4. Solution:
DNS sinkhole needs to be enabled in Anti-Spyware profiles in Perimeter Palo Alto Next
Generation Firewalls to forge a response to a DNS query for a known malicious domain/URL
and causes the malicious domain name to resolve to a definable IP address (fake IP, Provided
by Palo Alto) that is given to the client. If the client attempts to access the fake IP address and
there is a security rule in place that blocks traffic to this IP, the information is recorded in the
logs.
Sample Flow:
We need to keep the below in mind before assigning an IP address to DNS sinkhole
configuration:
When choosing a "fake IP", make sure that the IP address is a fictitious IP address that does
not exist anywhere inside of the network. DNS and HTTP traffic must pass through the Palo
Alto Networks firewall for the malicious URL to be detected and for the access to the fake IP
to be stopped. If the fake IP is routed to a different location, and not through the firewall, this
will not work properly.
Steps:
1. Make sure the latest Antivirus updates are installed on the Palo Alto Networks device.
From the WebUI, go to Device > Dynamic Updates on the left. Click "Check Now" in
the lower left, and
make sure that the Anti-Virus updates are current. If they are
now, please do that before proceeding. The Automatic Updates can be configured if
they are not setup.
GAVS Technologies
Proprietary & Confidential
Page 3 of 13
Palo Alto Firewall - Unauthorized DNS Queries
Fig1.1
Note: A paid Threat Prevention subscription for the DNS sinkhole is required to function
properly.
2. Configure the DNS Sinkhole Protection inside of an Anti-Spyware profile. Click on the
Objects > Anti-Spyware under Security Profiles on the left.
Use either an existing profile or create a new profile. In the example below the "alert-all" is
being used:
Fig1.2:
GAVS Technologies
Proprietary & Confidential
Page 4 of 13
Palo Alto Firewall - Unauthorized DNS Queries
Click the name of the profile - alert-all, click on the DNS Signatures tab.
Fig1.3:
Change the "Action on DNS queries" to 'sinkhole' if it is not already set to sinkhole.
Click in the Sinkhole IPv4 field either select the default Palo Alto Networks Sinkhole IP
(72.5.65.111) or a different IP of your choosing. If you opt to use your own IP, ensure the IP is
GAVS Technologies
Proprietary & Confidential
Page 5 of 13
Palo Alto Firewall - Unauthorized DNS Queries
not used inside your network and preferably not routable over the internet (RFC1918).
Click on Sinkhole IPv6 and enter a fake IPv6 IP. Even if IPv6 is not used, something still needs
to
be
entered.
The
example
shows
::1
.
Click
OK.
Note: If nothing is entered for the Sinkhole IPv6 field, OK will remain grayed out.
3. Apply the Anti-Spyware profile on the security policy that allows DNS traffic from the internal
network (or internal DNS server) to the internet
Click on Policies> Security on the left side. Inside the rules, locate the rule that allows DNS
traffic outbound, click on the name, go to the Actions tab, and make sure that the proper AntiSpyware profile is selected. Click OK.
Fig1.4:
4.
The last thing needed is to have a security rule that will block all web-browsing and
SSL access to the fake IP 72.5.65.111 and also :1 if using IPv6. This will ensure to deny
traffic to the fake IP from any infected machines.
Fig1.5:
GAVS Technologies
Proprietary & Confidential
Page 6 of 13
Palo Alto Firewall - Unauthorized DNS Queries
5. Commit the configuration
Fig1.6:
5.
How to verify DNS Sinkhole function is working properly:
Resolution
This is designed to help verify if the DNS Sinkhole function is working properly through a Palo
Alto Networks firewall.
The following 2 scenarios are covered:


6.
Client Using External DNS Server
Client Using Internal DNS Server
Client Using External DNS Server
GAVS Technologies
Proprietary & Confidential
Page 7 of 13
Palo Alto Firewall - Unauthorized DNS Queries
Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs
from it. For example, the Palo Alto Networks firewall sits between an infected client and the
Data Center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured
with an internet IP, then the firewall will never see the infected client trying to reach its
command & control server.
When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client
system is using an external DNS server, the DNS query from the client will go through the Palo
Alto Networks firewall to the external DNS server (client and DNS server are in different
subnets). As expected, the user should be able to see threat logs with the client IP address as
a source.
1. The user is trying to access a malicious website. The client system will send the DNS
query to an external DNS server to get the IP address of the malicious website. The
firewall will receive the DNS query directly from the client system.
2. The firewall will hijack the DNS query and will give a DNS sinkhole IP address to the
client and should be able to see the threat logs with client IP address as a source.
7.
Client TCP/IP Properties Configuration
GAVS Technologies
Proprietary & Confidential
Page 8 of 13
Palo Alto Firewall - Unauthorized DNS Queries
Review the following config example:
Threat Logs
When using an external DNS server, Threat logs show the Client IP address
"192.168.27.192" as a source that is trying to access a malicious website:
GAVS Technologies
Proprietary & Confidential
Page 9 of 13
Palo Alto Firewall - Unauthorized DNS Queries
8.
Client Output When Using External DNS Server
$nslookup
Server:
Address:
79fe3m5f4nx8c1.pmr.cc
195.130.131.4
195.130.131.4#53
Non-authoritative answer:
Name: 79fe3m5f4nx8c1.pmr.cc
Address: 72.5.65.111
The screenshot above shows a host machine 192.168.27.192 performing a DNS request for
"79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus,
showing that the DNS Sinkhole is working as desired.
9.
Client Using Internal DNS Server
If a client system is using an internal DNS server (client and DNS server are in the same subnet),
the DNS query from the client will go to the internal DNS server. The internal DNS server will
forward this query to an external DNS server, and threat logs with the internal DNS server IP
address will be seen as a source.
Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a
malicious website with the help of the threat logs, because all threat logs will have the internal
DNS server IP address as a source. However, the firewall should be able to determine the end
client IP address with the help of traffic logs.
Below is an example where the user is trying to access a malicious website. The client system
will send the DNS query to an internal DNS server to acquire the IP address of the malicious
website. Here, the internal DNS server will forward the DNS query to an external DNS server.
The firewall will receive a DNS query from the internal DNS server.
The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS
server. The internal DNS server will forward the response to the client system and the user
should be able to see threat logs with Internal DNS server IP address as a source. However,
Palo Alto Networks firewall should able to see client IP address in the traffic logs because client
will try to access that website with DNS sinkhole IP address, as shown in the following
screenshot
GAVS Technologies
Proprietary & Confidential
Page 10 of 13
Palo Alto Firewall - Unauthorized DNS Queries
Client
GAVS Technologies
TCP/IP
Properties
Proprietary & Confidential
Configuration
Page 11 of 13
Palo Alto Firewall - Unauthorized DNS Queries
10. Threat Logs
In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a
source, because the client system is using the internal DNS server IP. Here the firewall is not
able to determine which end client is trying to access that website.
11. Traffic Logs
However, as soon as client get the IP address from DNS server, it will generate traffic towards
the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address
"192.168.27.192" in traffic logs, as shown below:
12.
Client Output When Using Internal DNS Server
$nslookup
Server:
Address:
4cdf1kuvlgl5zpb9.pmr.cc
192.168.27.189
192.168.27.189#53
Non-authoritative answer
Name: 4cdf1kuvlgl5zpb9.pmr.cc
Address: 72.5.65.111
GAVS Technologies
Proprietary & Confidential
Page 12 of 13
Palo Alto Firewall - Unauthorized DNS Queries
The screenshot above shows a host machine 192.168.27.192 performing a DNS request for
4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that
the DNS Sinkhole is working as desired.
13.
Reference Links:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dnsqueries-to-identify-infected-hosts-on-the-network/dns-sinkholing
GAVS Technologies
Proprietary & Confidential
Page 13 of 13