topic Re: Has anyone done a custom APP to block recursive DNS queries? in Custom Signatures

Has anyone done a custom APP to block recursive DNS queries?

mcannady — Tue, 05 Jul 2022 13:16:27 GMT

I've built two signatures for DNS. One to indicate recursive lookup and not recursive lookup. When I test, the app that is evaluated first is triggered. reverse the order and the formerly 2nd app triggers. It is like the expressions are not evaluated.

Has anyone done this before?

I have a case open with paloalto about this, but it has been open for almost a year.

Re: Has anyone done a custom APP to block recursive DNS queries?

P.Jacob — Wed, 06 Jul 2022 20:01:25 GMT

what does your signature look like?

Re: Has anyone done a custom APP to block recursive DNS queries?

mcannady — Mon, 18 Jul 2022 19:15:44 GMT

I want to block the request traffic that this wireshark display filter would select:

(((dns.flags.response == 0) && (dns.flags.recdesired == 1)) && (dns.flags.opcode == 0)) && (ip.proto == 17) and only looking at port 53 traffic.

Re: Has anyone done a custom APP to block recursive DNS queries?

nikoolayy1 — Fri, 26 Aug 2022 21:49:38 GMT

Just create a 4 conditions that match a string and the specify the text.

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-pattern-requirements

I think that the dns request header context should do the job:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/dns-req-header

You can also match on a reqex but you will need a reqex that matches 4 strings/words and they all should be in the pact (AND &&) but maybe better just add 4 conditions joined with a ‘AND’ that have the four patters as I said.

Re: Has anyone done a custom APP to block recursive DNS queries?

nikoolayy1 — Tue, 22 Nov 2022 13:31:07 GMT

Did you manage to resolve this ? Also as a note you can do app flow debug to see if you are matching the correct app to get the idea if Palo Alto is not matching the wrong app:

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102

Maybe try also switching between DNS UDP to TCP or vice versa as this could be related to the issue who knows (maybe TCP DNS and UDP DNS are seen differently by the palo alto device) as maybe you will need to use custom app with unknown tcp/udp context (CPU intensive just for info):

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/unknown-req-udp-payload

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/udp-context-free

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/unknown-req-udp-payload

You can play also with using the Palo Alto DNS proxy feature as this may help.