topic Re: How to write a custom app signature that allows only a specific DNS query? in Automation/API Discussions

How to write a custom app signature that allows only a specific DNS query?

ericgearhart — Wed, 05 Dec 2012 15:03:22 GMT

We'd like to build a custom app ID that permits only one specific DNS query to make it through... for example, we want wireless clients (which have our Palo Alto as their default gateway) to only query for the DNS A record "vpngateway.example.com"

Has anyone built anything like this? The custom app signature tech note focuses specifically on HTTP... if we could get an example of building a DNS specific custom app signature, that would be awesome

Thanks guys,

Eric

Re: How to write a custom app signature that allows only a specific DNS query?

ksteves — Thu, 27 Dec 2012 21:35:42 GMT

you can use context 'dns-req-section' and \x to start and end hex

bytes for length to construct the domain name in the question like the

example below, however I'm not aware of how to construct a valid

pattern to match case insensitive.

the below will match www.hp.com but not www.HP.COM and so on.

also, if you could match case insensitive someone could use

name/label compression to subvert the pattern match.

set application dns-qname-www.hp.com signature www.hp.com and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern \x03\xwww\x02\xhp\x03\xcom\x0000010001\x

set application dns-qname-www.hp.com signature www.hp.com and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context dns-req-section

set application dns-qname-www.hp.com signature www.hp.com scope protocol-data-unit

set application dns-qname-www.hp.com signature www.hp.com order-free yes

set application dns-qname-www.hp.com signature www.hp.com comment "0001 is type A 0001 is class IN"

set application dns-qname-www.hp.com parent-app dns

Re: How to write a custom app signature that allows only a specific DNS query?

sberti — Tue, 22 Jan 2013 00:02:41 GMT

Hi Eric,

I'm afraid you might be out of luck here. One of the many differences between DNS and HTTP is that the first one is 1 packet in each direction.

This means in your case you won't be able to have the custom app matched unless DNS as a parent application is allowed but if you do this all DNS requests will be allowed through not just the one you specify in your customer app.

Let's assume you create your custom_dns application where www.hp.com is detected and allow it in a policy from A(client) to B (dns server).

Now, if the default dns application is denied as soon as the firewall detects that this is a DNS request (It does it before the content is inspected) the request will be denied. Application has been detected as dns and there is an deny action associated wit it

On the other hand if the default dns application is allowed when the traffic goes through the firewall the application will shift from dns (the default one) to the custom_dns as soon as the firewall reads the content. So in the logs you'll see a correct match with the custom_dns app you created but being this the mechanism this implies all other dns requests will be allowed as well.

Hope this helps to understand the logic.

-Salvo

Re: How to write a custom app signature that allows only a specific DNS query?

ericgearhart — Thu, 31 Jan 2013 18:10:43 GMT

Just to kind of follow up on this and provide some closure, the way we decided we're going to do this is via PA's DNS proxying... we're going to force proxying on and only allow the one specific domain we want to resolve via DNS to be explicitly resolved to the IP we want that one host record to resolve to. This basically solves our problem in a reasonably elegant way.

Re: How to write a custom app signature that allows only a specific DNS query?

markeating — Fri, 15 Mar 2013 10:38:11 GMT

Hi Eric,

have a look at the post I updated ()- gives details of exactly how to do this via a custom app/custom threat signature.

I've just done this to do the reverse of what you're trying - allow lookups to an entire domain, but block 1 specific dns entry out of the entire domain, so it is possible.