How to add exception for DNS Security domains before and after PAN-OS 10.x.x

How to add exception for DNS Security domains before and after PAN-OS 10.x.x

6908
Created On 04/15/20 19:33 PM - Last Modified 03/10/21 17:07 PM


Objective
Note: If you think any domain category is incorrect you can submit a 'change request' here, it may take one or two days. The change in domain or URL will propagate to DNS-Security cloud and Anti-spyware database.  In case, it is urgent and you can't wait or you only want to make changes in your own system you can add an exception as described in this document. 

Note: Adding a dns-security exception is different in PAN-OS < 10.x.x only have one UTIDs for DGA and other categories, while PAN-OS >=10.x.x allows us to add exception based on URL or UTID.

For PAN-OS 9.x.x : All domains blocked by the Domain generation algorithm (DGA) category have identical threat ID as 10900000; that means different domains are identified by the same threat ID. In such a situation if a domain is false positive it is hard to add an exception for that domain as the domain doesn't have a unique threat ID. 
This article explains how to add the exception for one domain while still blocking all other domains under the DGA category. 

For PAN-OS 10.x.x: Exception can be added by UTID or domain name.
 


Environment
  • PAN-OS 9.x.x and 10.x.x
  • Palo Alto Firewall.
  • DNS security license 


Procedure
Following are two possible solutions for PAN-OS 9.x.x.

 Solution:1 

You can change the verdict to benign or whitelist the domain. This can be done from the Firewall CLI commands. 

Step-1.

  •  Suppose the domain 'abc.com' is identified as DGA. in this case if a DNS query was made by any host behind the firewall will resolve into a sinkhole address. 

> nslookup abc.com => This is a windows command to be run on host connected to the network.

abc.com canonical name = sinkhole.paloaltonetworks.com.

  • Firewall threat logs can be seen as follows.
   Threat logs for the Domain identified as spyware.  

Step-2

  • Check the status of the domain verdict by the following command 

>show dns-proxy dns-signature cache | match abc.com

*.abc.com                         C2          109000001   86327       0

  • Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your PaloAlto Firewall on the management plane. This entry will only be effective on your Firewall locally.

>debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number>
Example for abc.com
debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com

  • You can confirm the domain is been changed to benign. The last number zero indicates the number of hit to this domain.   

> show dns-proxy dns-signature cache | match abc
*.abc.com                         White list  420000700   30758373       0

  • You can also confirm from dataplane

> debug dataplane show dns-cache | match abc
abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700

Step-3.

  • Send a DNS query again on the same domain, and it will resolve to correct the IP address. 

> nslookup abc.com => (windows command from host)
Name: abc.com
Address: 13.227.74.129


Solution:2 
Note: Prior to running any debug commands listed in the article, Go through this article which explains the risks involved.
 


Additional Information
  • Adding the exception in PAN-OS 10.x.x is different from PAN-OS 9.x.x. PAN-OS 10.x.x covers DNS Security categories are following, you can allow or change on the top level.
    • DGA                     109000001
    • DNS Tunneling     109001001
    • DNS Tunneling     109001002
    • Phishing                109010001
    • Grayware              109010002
    • Parked                   109010003
    • Proxy Avoidance and Anonymizers 109010004
    • Dynamic DNS                          109020002
    • Newly Registered Domain      109020001
 
In the PAN-OS 10.x.x version you can add DNS-Sec exception by either FQDN or by UTID. 
  • Step-1. Adding exceptions by the FQDN is useful when a signature is available in the cloud and UTID is not visible from the threatvault. That means UTID is not known.               The exception also is added on the subdomain as shown below.
  •  Please go to object->Anti-spyware profile -> DNS Exceptions 
User-added image
  •   CLI:
set profiles spyware based-default botnet-domains whitelist 10yxnzg0k9f64ah804u532vwzhzq66.ipgreat.com description "allowing this domain"
 
  • Step-2: If UTID is known an exception can be added by UTID.
User-added image
  • CLI: 
set profiles spyware based-default threat-exception 78069521 action allow


 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language