How to detect and block possible DNS PTR scanning activity

How to detect and block possible DNS PTR scanning activity

547
Created On 10/25/22 21:05 PM - Last Modified 08/18/25 21:48 PM


Objective


Showing how to create a custom threat signature so we can detect and possibly block DNS requests of PTR type based on the desired threshold.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS 
  • DNS Pointer (PTR)
  • Custom Threat Signature

Procedure


  1. Create a custom threat signature as per documentation or use KB article How to create a custom threat signature for more visual guidance on the general steps.
    • Note that operator should be configured as "equal to" and context dns-req-record-type value to 12

Screenshot 2022-10-25 at 22.51.45.png

  1. Create brute force signature from the parent custom threat signature from above.
  2. Create the time attribute based on the threshold desired. In the above case its 100 requests per second.


Screenshot 2022-10-25 at 23.01.52.png
Screenshot 2022-10-25 at 23.02.31.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZhrCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail