Why isn't DNS Security detecting my DNS tunneling test traffic?
4279
Created On 07/26/24 20:39 PM - Last Modified 08/26/24 05:28 AM
Question
There are two signatures (109001001 & 109001002) that can detect DNS tunneling. (The full Threat ID list can be found in this link.)
Why isn't DNS Security detecting my DNS tunneling test traffic?
Environment
- DNS Security License
- PAN-OS 9.1 or later
Answer
A possible reason that DNS Security did not detect the DNS tunneling traffic generated from the test is because the detector is optimized for real-world DNS tunneling attacks and has some rules implemented to prevent false positives.
This ensures that your domain which existed for many years (if the test is made using your own domain) does not get detected as the DNS tunneling category. If you would like to conduct further testing, you can register a new domain and use it for the DNS tunneling test.