PAN-OS 7.1 Custom DNS Signatures Block List
31263
Created On 09/25/18 17:39 PM - Last Modified 06/09/23 05:39 AM
Resolution
Palo Alto Network customers might receive third-party threat intelligence that includes malicious domains that Palo Alto Networks may not have in its own signatures. A new PAN-OS 7.1 feature, supported on all PAN-OS devices running PAN-OS 7.1 or later, allows customers to create a custom DNS signatures block list.
Solution:
- This new feature allows customers to add a custom list of domains to be used with the sinkhole functionality in the Anti-Spyware Profile.
- This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.
Feature details:
- A new custom DNS spyware signature is created for each item in the External Dynamic List (EDL)
- The signature name for custom DNS sinkhole signatures will be "Suspicious DNS Query (full domain name)“
- A new signature ID is created for each item in the list automatically with range in a pool
- Signature type will be spyware, with medium severity
- Restrictions
- Up to 30 EDLs of any type are supported
- Up to 50,000 domains are supported (system-wide)
- If there are more than 50,000 domains, the first 50,000 are taken and a system log will be generated indicating that capacity has been exceeded
- No limit on individual lists, but aggregate of all lists cannot exceed 50,000
- High-End Platform Capacity (PA-5000 and PA-7000)
- Up to 30 EDLs of any type are supported
- Maximum of 150,000 total IPs, and 50,000 total domains
- The domain lists filename on the remote server must be in a regular text format
- One domain per line
- If the count exceeds the platform limits, the commit will fail
Configuration
- Custom DNS signature block lists can be configured under Objects tab > External Dynamic Lists (formerly Dynamic Block Lists) using a type of Domain list:
- Block list actions are configured in Objects tab > Anti-Spyware Profiles. Any configured External Dynamic Lists that are Domain type will appear in the drop-down menu:
- Note that Palo Alto Networks DNS Signatures appear by default under External Dynamic List Domains with an action of sinkhole
- The IPv4 sinkhole address defaults to PAN Sinkhole Default, but can be changed as desired
- Configuration of External Dynamic Lists can be set from the CLI:
# set shared/<vsys vsys1> external-list <tab>
-list of current added lists
<name>
# set shared/<vsys vsys1> external-list <name>
+ description description
+ url url
+ type type
> recurring recurring
<Enter> Finish input
# set shared/<vsys vsys1> external-list <name> type <tab>
domain Domain List
ip IP List
- Configuration of Anti-Spyware Profiles can be set from the CLI:
# set shared/<vsys vsys1> profiles spyware <profilename> <tab>
+ description description
> botnet-domains botnet-domains
> rules rules
> threat-exception threat-exception
<Enter> Finish input
# set shared/<vsys vsys1> profiles spyware AS1 botnet-domains <tab>
+ packet-capture packet-capture
> list list of domains (new option added)
> sinkhole sinkhole (sinkhole setting common to lists)
> threat-exception threat-exception
<Enter> Finish input
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <tab>
... completion handler picks up the relevant domain lists ...
<name>
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> <tab>
action
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> action <tab>
alert
allow
block
sinkhole
- External Dynamic Lists can be manually refreshed using the following command:
> request system external-list refresh type domain name custom-dns-block-list
EDL refresh job enqueued
- The request will be queued as a job, and its status can be checked using the 'show jobs' command, or by viewing Tasks in the WebUI
- Job type is EDLRefresh
- Failures of download or EDL refresh will be recorded in system logs and ms.log
High Availability
- The text file, which contains mapping of internal threat-ID to malicious domains, is recreated on HA peers on every commit.