Enable Logging for DNS Proxy Requests
1448
Created On 02/29/24 16:57 PM - Last Modified 10/20/25 23:59 PM
Objective
Enable logging for requests sent to DNS Proxy on the firewall to increase view of requests that have been made.
Environment
- NGFW
- DNS Security
Procedure
These steps require a DNS Security License.
- Create DNS Proxy rule (Network>DNS Proxy)
- Create Security Anti-Spyware Profile Object (Objects>Security Profiles>Anti-Spyware)
- Create security rule from DNS proxy interface to DNS server(s) called out in DNS Proxy creation.
- Allow traffic from DNS Proxy Interface
- Need an allow rule that will allow traffic from the DNS Proxy Interface to the DNS server.
- Create security rule to log request from client.
- General Tab
- Name: Give desired name.
- Change 'Rule Type' to 'Intranet'
- Source Tab
- Add Zone(s) that requests will be received from.
- Application
- Add dns-base to 'Applications'
- Actions
- Apply Anti-Spyware Profile item to Logging rule created in step 2
- Log at Session End is selected.
- General Tab
- Set pan-dns-sec-benign information through cli
- Log in to CLI
- Switch to configure mode
- Run the following command:
- set profiles spyware <Anti-Spyware Profile Name> botnet-domains dns-security-categories pan-dns-sec-benign action allow log-level low packet-capture disable
- Commit changes
Additional Information
Please be aware that if the Spyware profile is moved to another device group (DG) that the set command for pan-dns-sec-benign while need to be re-applied.
How to Configure DNS Proxy on a Palo Alto Networks Firewall