Palo Alto Networks Knowledgebase: Blocking Suspicious DNS Queries with DNS Proxy Enabled
Blocking Suspicious DNS Queries with DNS Proxy Enabled
Created On 02/08/19 00:06 AM - Last Updated 02/08/19 00:06 AM
Zone and DoS Protection
When trying to enable Anti-Spyware on the Palo Alto Networks firewall with DNS proxy enabled, the user may experience DNS requests being denied across the entire network if it is not set up correctly. This is because of how Palo Alto Networks devices handle DNS requests and how Palo Alto Networks block suspicious DNS queries (enabled in Anti-Spyware profiles). This document will address why this issues occurs and how to resolve them.
The issue is caused by the Palo Alto Network device trying to block its only session for DNS queries to the external DNS server. If setting up an Anti-Spyware profile to block suspicious DNS queries (including the default 'strict' object), the firewall will put the offending DNS session into a DISCARD state. This means that all DNS traffic from the device that has been blocked, from that time forward it will be dropped until the session times out, or is manually cleared. Wanted DNS queries will be blocked when the users applies an Anti-Spyware profile configured to block these DNS queries from a trust (internal) zone to untrust (external) zone Security Policy [See Diagram 1.0]. The following is an illustration of the flow a packet would take if configured with a Security Policy, similar to the one listed above [See Diagram 1.1]. This will cause all DNS queries going from the Palo Alto Networks firewall to the DNS server to be denied after a suspicious DNS query is detected; even the wanted ones.
Configure two policies as shown below (see diagram 2.0). The first policy will allow these DNS queries from the users firewall to the internet. This will prevent a DISCARD session from being formed that will block all DNS queries for the entire network. The second policy will state to perform the Anti-Spyware profile on the traffic going from the clients to the firewall instead. This will allow blocking suspicious DNS queries for specific clients, and not block DNS queries for the entire network.