Blocking Suspicious DNS Queries with DNS Proxy Enabled

Blocking Suspicious DNS Queries with DNS Proxy Enabled

70802
Created On 09/25/18 19:49 PM - Last Modified 02/05/21 23:43 PM


Symptom


When trying to enable Anti-Spyware on the Palo Alto Networks firewall with DNS proxy enabled, the user may experience DNS requests being denied across the entire network if it is not set up correctly. This is because of how Palo Alto Networks devices handle DNS requests and how Palo Alto Networks block suspicious DNS queries (enabled in Anti-Spyware profiles). This document will address why this issue occurs and how to resolve them.

 



Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • DNS Proxy enabled.
  • Anti-Spyware configuration.


Cause


The issue is caused by the Palo Alto Network device trying to block its only session for DNS queries to the external DNS server. If setting up an Anti-Spyware profile to block suspicious DNS queries (including the default 'strict' object), the firewall will put the offending DNS session into a DISCARD state. This means that all DNS traffic from the device that has been blocked, from that time forward it will be dropped until the session times out, or is manually cleared. Wanted DNS queries will be blocked when the users apply an Anti-Spyware profile configured to block these DNS queries from a trust (internal) zone to untrust (external) zone Security Policy [See Diagram 1.0]. The following is an illustration of the flow a packet would take if configured with a Security Policy, similar to the one listed above [See Diagram 1.1].  This will cause all DNS queries going from the Palo Alto Networks firewall to the DNS server to be denied after a suspicious DNS query is detected; even the wanted ones.



Suspicious DNS Queries with DNS Proxy - Diagram 1.0.png


Suspicious DNS Queries with DNS Proxy - Diagram 1.1.png

 



Resolution


Configure two policies as shown below (see diagram 2.0). The first policy will allow these DNS queries from the user's firewall to the internet. This will prevent a DISCARD session from being formed that will block all DNS queries for the entire network. The second policy will state to perform the Anti-Spyware profile on the traffic going from the clients to the firewall instead. This will allow blocking suspicious DNS queries for specific clients, and not block DNS queries for the entire network.
 

Suspicious DNS Queries with DNS Proxy - Diagram 2.0.png

 

 

 

 



Additional Information


How to Configure DNS Proxy on a Palo Alto Networks Firewall

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClekCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language