DNS Security Behaviour in PAN-OS when There Is Connectivity Issue to DNS Security Cloud Service

When there is connectivity issue to DNS Security cloud service, the following symptom is seen,

[a] If there is no DNS response received within DNS signature lookup timeout,

• On the packet capture,
  • DNS request is forwarded by firewall to the destination DNS server.
  • DNS request from client is present in drop pcap after the DNS signature lookup timeout expired.
• On the global counter, ctd_dns_wait_pkt_drop is incremented.

[b] If DNS response is received within DNS signature lookup timeout,

• On the packet capture,
  • DNS request is forwarded by firewall to the destination DNS server.
  • DNS response received within DNS signature lookup timeout will be dropped and present in drop pcap.
  • DNS request from client is re-transmitted (seen in transmit pcap).
  • The next DNS response received after DNS signature lookup timeout expired is forwarded to client.
• On the global counter, ctd_dns_wait_pkt_drop is incremented.

• Palo Alto Firewalls
• Supported PAN-OS
• Valid DNS Security license
• DNS Security is enabled under Anti-Spyware security profile

The working of DNS security is explained under the resolution section.

The behavior of DNS Security in PAN-OS is as follows:

1. When there is no cloud verdict AND no DNS response received within DNS signature lookup timeout (default is 100ms).
   1. DP will receive a not-resolved message from MP at 100ms.
   2. PAN-OS will not re-transmit the DNS request because there is no DNS response received and dropped.
   3. DNS request from client will be dropped. This is a copy of the one received from client so it is not a real drop.

2. When the DNS response is received within DNS signature lookup timeout and no cloud verdict is received (e.g. due to DNS Security cloud service connectivity issue).
   1. DNS response will be dropped and PAN-OS will re-transmit the original DNS request (extra DNS request in the transmit stage).
   2. If the next DNS response is received after DNS signature lookup timeout expired, DNS response will be forwarded to the client as the fail open mechanism.

3. When DNS response is received before the cloud verdict (cloud verdict is eventually received, i.e. no connectivity issue to DNS Security cloud service but delay),
   1. if DNS response is received within the DNS signature lookup timeout, DNS response is dropped.
   2. If cloud verdict is malicious, the session is marked blocked, no further processing and no further forwarding of queries nor response.
   3. If cloud verdict is benign, PAN-OS will re-transmit the original DNS request (extra DNS request in the transmit stage). Cached benign signature will allow the following DNS response to pass through.
   4. If DNS response is received beyond the DNS signature lookup timeout, then the DNS response is forwarded to client.
   5. If cloud verdict is malicious, a threat log is triggered.
   6. If cloud verdict is benign, no further action required.

4. When cloud verdict is received before the DNS response:
   1. If the cloud verdict is malicious, the session is marked blocked, no further processing and no further forwarding of queries nor response.
   2. if cloud verdict is benign, no further action required. Future DNS traffic pass through normally.

• Enable DNS Security
• Configure Lookup Timeout