Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
DNS queries from PAN management interface can be triggered by H... - Knowledge Base - Palo Alto Networks

DNS queries from PAN management interface can be triggered by HTTP/TLS Evasion Signatures

56266
Created On 04/08/19 03:32 AM - Last Modified 03/06/25 17:15 PM


Symptom


  • A DNS query traffic originating from the management interface of the firewall can be a simple benign query, or it can trigger a Palo Alto Networks' signature. These signatures can be spyware or malicious DNS signatures. 
  • This Firewall management IP address is 192.168.10.1, and you will see a DNS query as follows. 
User-added image

Environment


  • All PAN-OS 

Cause


A Firewall configurations can result in Firewall sending a DNS query from the Firewall management interface. Following is a summary of the few reasons; we will cover them one by one on the next page.
  • Spyware Evasion Signature [TID 14978/14984] action is set to "alert/sinkhole" 
  • DNS Proxy is enabled 
  • Address object as FQDN is configured 
  • Report with DNS resolver is configured 
  • Monitor tab-> traffic-> Resolve hostname
     

Spyware Evasion Signature [TID 14978/14984] action  

 
The purpose of these signatures is defined here in detail. Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests. They can alert to instances where a client connects to a domain other than the domain specified in a DNS query. These signatures are effective only when the firewall can act as a DNS proxy on the interface and resolve domain name queries.

1. Upon filtering with the Threat ID, we see traffic from an internal machine (10.10.10.10) is matching the same signatures.
User-added image

2. On checking the anti-spyware profile mapped to the Security Policy, HTTP/TLS Evasion Signatures (14978/14984) are set to "Alert."
User-added image
 
Another possibility is that the signature has not been defined to 'alert' in an Exception, but that is being instructed to 'alert' from the Anti-Spyware rules:   
informational set to alert


3. This happens as the internal machine tries to reach out to the malicious website over HTTP. The DNS Signature is triggered when the internal machine makes a DNS resolution. 

Explanation: 

  • The purpose of these signatures is to alert to instances where a client connects to a domain other than the domain specified in a DNS query. Evasion signatures are effective only when the firewall can act as a DNS Proxy and resolve domain name queries. 
    • In the case of HTTP, the Firewall will resolve the domain name to the IP address and check if the client's destination IP is the same as it has resolved. 
    • In the case of TLS, the Firewall will read the SNI name from the certificate, and compare the client's destination IP to what it has resolved. 
    • In both cases, Firewall must resolve the destination IP address to compare with the client's destination address. That is why Firewall originates the DNS query for the domain requested by the client.

 The firewall's management interface will issue another DNS query to resolve the domain since anti-spyware signatures 14978 and 14984 are enabled in the above case.
 If the domain is malicious, you will notice a malicious or C2 domain DNS query was issued from the Firewall's management interface, which can trigger a security alert in any of the upstream security devices if present. 
NOTE:  If your firewall management traffic is going through the data plane, you will notice a threat log. 

Resolution


  • This is an expected behavior based on this configuration, and it will happen if the DNS Signatures are configured to Alert/Sinkhole (if the Sinkhole IP traffic is routed to the firewall). This will not happen if the DNS Signatures are configured to "block" as HTTP or HTTPS traffic never gets triggered because the DNS resolution never succeeds.
  • If DNS Signatures are configured as alert/Sinkhole, the Security Policy can be configured with an anti-spyware profile that does not match the DNS Signature for traffic from the firewall management interface to mitigate this issue.


NOTE: The management interface will also initiate a DNS Query to resolve the IP address of any malicious domain that's added as an FQDN Object (Objects>Address) in the firewall and used in a security policy. This query will repeat every 30 minutes if the DNS Query gets blocked. The solution for this is to delete the FQDN Objects and block connections to these domains using DNS Security/DNS Signatures and URL filtering.

Additional Information



The management interface will also initiate a DNS Query to resolve the IP address of any domain in the following conditions. 

  • DNS Proxy is enabled.
User-added image
  • FQDN objects:
    • FQDN object is configured in objects-> Address in firewall and it is used in a security policy and it checked every 30 minutes.  
FQND object
  • Monitor tab-> traffic-> Resolve hostname
User-added image
  • Reporting: Within the pre-defined reports that are enabled by default, the reporting engine attempts to resolve the IP address of the malware FQDN for URL filtering logs reports for botnet and malicious URL/domains. 

For additional detailed information on why there are suspicious DNS queries originating from the management interface, please visit here. 


 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,944
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLRaCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language