Enable Logging for DNS Proxy Requests

Enable Logging for DNS Proxy Requests

1448
Created On 02/29/24 16:57 PM - Last Modified 10/20/25 23:59 PM


Objective


Enable logging for requests sent to DNS Proxy on the firewall to increase view of requests that have been made.

Environment


  • NGFW
  • DNS Security


    Procedure


    These steps require a DNS Security License.

    1. Create DNS Proxy rule (Network>DNS Proxy)
    2. Create Security Anti-Spyware Profile Object (Objects>Security Profiles>Anti-Spyware)
    3. Create security rule from DNS proxy interface to DNS server(s) called out in DNS Proxy creation.
      1. Allow traffic from DNS Proxy Interface
      2. Need an allow rule that will allow traffic from the DNS Proxy Interface to the DNS server.
    4. Create security rule to log request from client.
      1. General Tab
        1. Name: Give desired name.
        2. Change 'Rule Type' to 'Intranet'
      2. Source Tab
        1. Add Zone(s) that requests will be received from.
      3. Application
        1. Add dns-base to 'Applications'
      4. Actions
        1. Apply Anti-Spyware Profile item to Logging rule created in step 2
        2. Log at Session End is selected.
    5. Set pan-dns-sec-benign information through cli
      1. Log in to CLI
      2. Switch to configure mode
      3. Run the following command:
        1. set profiles spyware <Anti-Spyware Profile Name> botnet-domains dns-security-categories pan-dns-sec-benign action allow log-level low packet-capture disable
    6. Commit changes


    Additional Information


    Please be aware that if the Spyware profile is moved to another device group (DG) that the set command for pan-dns-sec-benign while need to be re-applied.

    How to Configure DNS Proxy on a Palo Alto Networks Firewall

    Anti-Spyware Profile



    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008XMUCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail