Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to add an exception for DNS Security domains in PAN-OS 9.x.x - Knowledge Base - Palo Alto Networks

How to add an exception for DNS Security domains in PAN-OS 9.x.x

78676
Created On 04/15/20 19:33 PM - Last Modified 11/05/24 16:15 PM


Objective


Note: If you think any domain category needs to be corrected, submit a 'change request' here, and the process is defined here. The change in domain or URL will propagate to the DNS Security cloud and Anti-Spyware database.
However, you can add an exception as described in this document in case it is urgent that you can't wait for the category updates. This exception is local to your Firewall and it will not propagate Firewall reboots. 


Background information:
PAN-OS 9.x.x:
When the DNS Security categories block the DNS traffic, we see the UTID of the DNS Security; for example, the DGA category TID is 109000001. This means that different domains can be identified by the same UTID of the DNS Security i.e, all DGA domains will show one threat ID (109000001).
In such a situation, if an exception is set using the threat ID (109000001), it'll be applied to the whole category(DGA). However, you can add an exception only for that particular domain by using the CLI.
This article explains how to add the exception for one domain while blocking all other domains under that DNS Security categories.

PAN-OS 10.x.x or later:
In PAN-OS 10.x.x or later, the exception can be added by FQDN or the UTID of the DNS signature. Please refer to the article below.
How to add an exception for DNS Security domains before and after PAN-OS 10.x.x



Environment


  • PAN-OS 9.x.x 
  • Palo Alto Networks Firewall
  • DNS Security license 


Procedure


Following are two possible solutions for PAN-OS 9.x.x.
 

Solution:1 

You can change the verdict of the domain to benign or whitelist the domain. This can be done from the Firewall CLI commands as follows:
 

Step-1:

  • Suppose the domain 'abc.com' is identified as DGA. In this case if a DNS query was made by any host behind the firewall it will be resolved into a sinkhole address. 
  • This is an example of running nslookup command on a Windows machine which is connected to the network.

> nslookup abc.com
abc.com canonical name = sinkhole.paloaltonetworks.com.

 

  • Firewall threat logs can be seen as follows.
Threat logs for the Domain identified as spyware.  
 

Step-2:

  • Check the status of the domain verdict by the following command on the firewall CLI.

> show dns-proxy dns-signature cache | match abc.com
*.abc.com                         C2          109000001   86327       0

 

  • Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your Palo Alto Networks Firewall. This entry will only be effective on your Firewall locally.
> debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number> match-subdomain <yes|no>
Example for abc.com:

> debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com match-subdomain yes

 

  • You can confirm the domain is whitelisted. The last number, zero indicates the number of hits to this domain.   

> show dns-proxy dns-signature cache | match abc
*.abc.com                         White list  420000700   30758373       0

 

  • You can also confirm that the verdict is changed to benign in the data plane.

> debug dataplane show dns-cache print | match abc
abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700

 

Step-3:

  • Send a DNS query again on the same domain, and it will be resolved to the correct IP address. 

> nslookup abc.com
Name: abc.com
Address: 13.227.74.129


Note: The cache will expire based on the TTL value. The max TTL we can set is 30758400 sec which is one year. The cache also can disappear upon firewall reboot.

Note: Prior to running any debug commands listed in the article, please go through this article which explains the risks involved.
 

Solution:2

  • Create an External Dynamic List (EDL) with the domains that need to be allowed.
  • Caveat: The EDL status should be "alert" not "allow", otherwise the EDL module will be skipped and DNS Security action will take place. This is a limitation (PAN-174817). Below is a summary of this limitation:
    • When the EDL action is set to 'allow', the EDL setting is simply just ignored. As a result, DNS Security action takes place. ==> So, the DNS traffic can still be blocked by  DNS Security.
    • When the EDL action is set to 'alert' the EDL action takes place. As a result, DNS Security action is bypassed.
    • When DNS traffic is passed, you will see the threat log (TID:12000000, "Suspicious Domain") due to the action is 'alert.' Please ignore the logs.


 



Additional Information


 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language