DNS queries from PAN management interface can be triggered by HTTP/TLS Evasion Signatures

• A DNS query traffic originating from the management interface of the firewall, this query can be a simple benign query or it can trigger a PaloAlto Networks' signature. These signatures can be spyware or malicious DNS signature. 
• This Firewall management IP address is 192.168.10.1, and you will see a DNS query as following. 

• All PAN-OS 

• Spyware Evasion Signature [TID 14978/14984] action is set to "alert/sinkhole" 
• DNS Proxy is enabled 
• Address object as FQDN is configured 
• Report with DNS resolver is configured 
• Monitor tab-> traffic-> Resolve hostname
   

Spyware Evasion Signature [TID 14978/14984] action  

Explanation: 

• The purpose of these signatures is to alert to instances where a client connects to a domain other than the domain specified in a DNS query. Evasion signatures are effective only when the firewall can act as a DNS Proxy and resolve domain name queries. 
  • In the case of HTTP, the Firewall will resolve the domain name to the IP address and check if the client's destination IP is the same as it has resolved. 
  • In the case of TLS, the Firewall will read the SNI name from the certificate, and compare the client's destination IP to what it has resolved. 
  • In both cases, Firewall must resolve the destination IP address to compare with the client's destination address. That is why Firewall originates the DNS query for the domain requested by the client.

 The firewall's management interface will issue another DNS query to resolve the domain since anti-spyware signatures 14978 and 14984 are enabled in the above case.
 If the domain is malicious, you will notice a malicious or C2 domain DNS query was issued from the Firewall's management interface, which can trigger a security alert in any of the upstream security devices if present. 
NOTE:  If your firewall management traffic is going through the data plane, you will notice a threat log. 

• This is an expected behavior based on this configuration, and it will happen if the DNS Signatures are configured to Alert/Sinkhole (if the Sinkhole IP traffic is routed to the firewall). This will not happen if the DNS Signatures are configured to "block" as HTTP or HTTPS traffic never gets triggered because the DNS resolution never succeeds.
• If DNS Signatures are configured as alert/Sinkhole, the Security Policy can be configured with an anti-spyware profile that does not match the DNS Signature for traffic from the firewall management interface to mitigate this issue.

NOTE: The management interface will also initiate a DNS Query to resolve the IP address of any malicious domain that's added as FQDN Object (Objects>Address) in the firewall and used in a security policy. This query will repeat every 30 minutes if the DNS Query gets blocked. The solution for this is to delete the FQDN Objects and block connections to these domains using DNS Security/DNS Signatures and URL filtering.

• DNS Proxy is enabled.

• FQDN objects:
  • FQDN object is configured in objects-> Address in firewall and it is used in a security policy and it checked every 30 minutes.  

• Monitor tab-> traffic-> Resolve hostname

• Reporting: In the pre-defined reports, those are enabled by default, the reporting engine tries to resolve the IP address of the malware domain for URL filtering logs reports for botnet and malicious URL/domains.