How to add exception for DNS Security domains before and after PAN-OS 10.x.x

How to add exception for DNS Security domains before and after PAN-OS 10.x.x

19092
Created On 04/15/20 19:33 PM - Last Modified 08/04/22 03:52 AM


Objective
Note: If you think any domain category is incorrect you can submit a 'change request' here
Reference: How to Submit change for a Miscategorized URL in PAN-DB
The change in domain or URL will propagate to DNS Security cloud and Anti-Spyware database. In case, it is urgent and you can't wait or you only want to make changes in your own system you can add an exception as described in this document. 

Note: Adding a DNS Security exception is different between PAN-OS 9.x.x and PAN-OS 10.x.x.
In PAN-OS 9.x.x, there's no option to add an exception using an FQDN or the UTID (Unique Threat ID) of the DNS signature while PAN-OS >=10.x.x allows us to add exception based on FQDN or UTID.

When the DNS traffic is blocked by the DNS Security categories, we see the UTID of the DNS Security, for example 109000001.
The whole list of the DNS Security Categories can be found here.
What are the Unique Threat ID's that map to the different DNS Security Categories?

This means that different domains can be identified by the same UTID of the DNS Security. In such a situation if a domain is false positive it is hard to add an exception for that particular domain using the UTID of the DNS Security. 
This article explains how to add the exception for one domain while still blocking all other domains by the DNS Security Categories.

In PAN-OS 10.x.x, The exception can be added by FQDN or the UTID of the DNS signature.
 


Environment
  • PAN-OS 9.x.x and 10.x.x
  • Palo Alto Firewall
  • DNS security license 


Procedure
Following are two possible solutions for PAN-OS 9.x.x.
 

 Solution:1 

You can change the verdict of the domain to benign or whitelist the domain. This can be done from the Firewall CLI commands. 
 

Step-1:

  • Suppose the domain 'abc.com' is identified as DGA. in this case if a DNS query was made by any host behind the firewall it will be resolved into a sinkhole address. 
  • This is an example of running nslookup command on windows machine which is connected to the network.

> nslookup abc.com
abc.com canonical name = sinkhole.paloaltonetworks.com.

 
  • Firewall threat logs can be seen as follows.
Threat logs for the Domain identified as spyware.  
 

Step-2:

  • Check the status of the domain verdict by the following command on the firewall CLI.

> show dns-proxy dns-signature cache | match abc.com
*.abc.com                         C2          109000001   86327       0

 
  • Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your Palo Alto Networks Firewall. This entry will only be effective on your Firewall locally.
> debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number> match-subdomain <yes|no>
Example for abc.com:

> debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com match-subdomain yes

 
  • You can confirm the domain is whitelisted. The last number zero indicates the number of hit to this domain.   

> show dns-proxy dns-signature cache | match abc
*.abc.com                         White list  420000700   30758373       0

 
  • You can also confirm that the verdict is changed to benign in the dataplane.

> debug dataplane show dns-cache print | match abc
abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700

 

Step-3:

  • Send a DNS query again on the same domain, and it will be resolved to the correct IP address. 

> nslookup abc.com
Name: abc.com
Address: 13.227.74.129


Note: Please note that cache will expire based on the ttl value. The max ttl we can set is 30758400 sec which is 1 year. The cache also can disappear upon firewall reboot.

Note: Prior to running any debug commands listed in the article, please go through this article which explains the risks involved.


 

Solution:2

  • Create an extended dynamic list with the list of domains that need to be allowed.
  • Caveat: Please note that there's a limitation which is known as PAN-174817.
Reference:
Here's what happens.
- When the EDL action is set to 'allow', the EDL setting is simply just ignored. As a result, DNS security action takes place. ==> So, the DNS traffic still can be blocked by the DNS Security.
- When the EDL action is set to 'alert', the EDL action takes place. As a result, DNS security action is bypassed. So, the DNS traffic is allowed, but you will see the threat log (TID:12000000, "Suspicious Domain") because the action is set to 'alert'. Please just ignore the logs.

 


Additional Information
In PAN-OS 10.x.x version, you can add a DNS Security exception by either FQDN or by the UTID of the DNS signature.
 
Step-1:
  • Adding exceptions by the FQDN is useful when a DNS signature is available in the cloud and the UTID of the DNS signature is not visible from the ThreatVault. That means the UTID of the DNS signature is not known. 
  • The exception also can be added on the subdomain as shown below.
  • Please go to Object -> Anti-spyware profile -> DNS Exceptions 
User-added image
  •  CLI:
> set profiles spyware based-default botnet-domains whitelist 10yxnzg0k9f64ah804u532vwzhzq66.ipgreat.com description "allowing this domain"
 
Step-2:
  • If the UTID of the DNS signature is known, an exception can be added by the UTID.
User-added image
  • CLI: 
> set profiles spyware based-default threat-exception 78069521 action allow


 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language