What Information is Submitted to the Palo Alto Networks when Enabling the Passive DNS Feature

What Information is Submitted to the Palo Alto Networks when Enabling the Passive DNS Feature

18955
Created On 09/25/18 17:30 PM - Last Modified 06/07/23 17:29 PM


Resolution


PAN-OS 6.0 and later

 

Details

Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.

 

The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met:

  1. DNS response bit is set
  2. DNS truncated bit is not set
  3. DNS recursive bit is not set
  4. DNS response code is 0 or 3 (NX)
  5. DNS question count bigger than 0
  6. DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX)
  7. DNS query record type are "A,NS,CNAME, AAAA, MX"

 

To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:

passive DNS.JPG

 

To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry

telemetry.png

 

 

owner: achalla
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGHCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language