How to add exception for only one DGA domain while blocking the DGA category [DNS Security]

How to add exception for only one DGA domain while blocking the DGA category [DNS Security]

901
Created On 04/15/20 19:33 PM - Last Updated 06/26/20 18:31 PM


Objective
All domains blocked by the DGA category have identical threat ID as 10900000; that means different domains are identified by the same threat ID. In such a situation if a domain is false positive it is hard to add an exception for that domain as domain doesn't have a unique threat ID. 
This article explains how to add the exception for one domain while still blocking all other domains under the DGA category. 

 


Environment
  • PAN-OS 9.0.x or higher
  • DNS security license 


Procedure
There are two possible solutions. 

 Solution:1 

You can change the verdict to benign or whitelist the domain. This can be done from the Firewall CLI commands. 

Step1.

  •  Suppose the domain 'abc.com' is identified as DGA. in this case if a DNS query was made by any host behind the firewall will resolve into sinkhole address. 

> nslookup abc.com
abc.com canonical name = sinkhole.paloaltonetworks.com.

  • Firewall threat logs can be seen as follows.
   Threat logs for the Domain identified as spyware.  

Step:2

  • Check the status of the domain verdict by the following command 

>show dns-proxy dns-signature cache | match abc.com
*.abc.com                         C2          109000001   86327       0

  • Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your PaloAlto Firewall on the management plane. This entry will only be effective on your Firewall locally.

>debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number>
Example for abc.com
>debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com

  • You can confirm the domain is been changed to benign. The last number zero indicates the number of hit to this domain.   

> show dns-proxy dns-signature cache | match abc
*.abc.com                         White list  420000700   30758373       0  

  • You can also confirm from data plane

> debug dataplane show dns-cache print | match abc
abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700

Step3.

  • Send a DNS query again on the same domain, and it will resolve to correct the IP address. 

> nslookup abc.com
Name: abc.com
Address: 13.227.74.129


Solution:2. 
 


Additional Information
Note: Prior to running any debug commands listed in the article, Go through this article which explains the risks involved.
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments