How to add exception for only one DGA domain while blocking the DGA category [DNS Security]
All domains blocked by the DGA category have identical threat ID as 10900000; that means different domains are identified by the same threat ID. In such a situation if a domain is false positive it is hard to add an exception for that domain as domain doesn't have a unique threat ID.
This article explains how to add the exception for one domain while still blocking all other domains under the DGA category.
- PAN-OS 9.0.x or higher
- DNS security license
There are two possible solutions.
- Suppose the domain 'abc.com' is identified as DGA. in this case if a DNS query was made by any host behind the firewall will resolve into sinkhole address.
> nslookup abc.com
abc.com canonical name = sinkhole.paloaltonetworks.com.
- Firewall threat logs can be seen as follows.
- Check the status of the domain verdict by the following command
>show dns-proxy dns-signature cache | match abc.com
*.abc.com C2 109000001 86327 0
- Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your PaloAlto Firewall on the management plane. This entry will only be effective on your Firewall locally.
>debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number>
Example for abc.com
>debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com
- You can confirm the domain is been changed to benign. The last number zero indicates the number of hit to this domain.
> show dns-proxy dns-signature cache | match abc
*.abc.com White list 420000700 30758373 0
- You can also confirm from data plane
> debug dataplane show dns-cache print | match abc
abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700
- Send a DNS query again on the same domain, and it will resolve to correct the IP address.
> nslookup abc.com
- Create an extended dynamic list and required domain with allow list.
Note: Prior to running any debug commands listed in the article, Go through this article which explains the risks involved.