topic Re: Blocking specific DNS lookups via Custom threats - solved! in Automation/API Discussions

Blocking specific DNS lookups via Custom threats - solved!

markeating — Thu, 14 Mar 2013 12:11:27 GMT

Hi all,

I've got a bit of a challenge that I'm hoping someone may be able to assist me with. We use GloblaProtect (always on) and it's playing havoc with a few of our apps that can access both internal & external servers (eg: Outlook Anywhere, Lync etc..).

The biggest challenge we face is that once GP connects, it is able to resolve the internal DNS entries for those services, and attempts to connect via the vpn. Although we block this traffic, it takes quite a while for the servcies to fail over to use the external access points which can cause user perception issues. The simplest way to get around this is if the client is unable to resolve 3 specific DNS entries on our internal domain, but not block DNS lookups to the whole domain. I believe that we may be able to do this via a custom threat signature, but can't for the life of me get it working & was hoping that someone would be able to help me identify how to write the reg expression & which specific DNS decoder to use as its driving me nuts.

for info, I've seen the other similar thread (https://live.paloaltonetworks.com/message/22931#22931), but not sure it's quite the same - although happy to be told otherwise.

thanks very much,

Re: Blocking specific DNS lookups via Custom threats

ericgearhart — Thu, 14 Mar 2013 15:46:56 GMT

Are you not able to use the DNS Proxy feature of Palo Alto to write up some static DNS entries, and essentially "force" DNS resolution to specific IP addresses, only on traffic that is coming from your GlobalProtect zone?

P.S. - it's a bit funny that you're referencing my thread, and the suggestion I have is basically based on what I learned from that thread

Re: Blocking specific DNS lookups via Custom threats

markeating — Thu, 14 Mar 2013 15:56:42 GMT

Thanks,

I guess thats a different way of approaching it - instead of blocking/dropping the specific requests, have static dns entries pointing to the alternate IP's.

I'll have a go, however not sure of the impact due to the use of certificates & encryption of the comms between client & server, so it may break if the client is connecting to something else. It's worth a try though as I'm struggling to get anything else working right now

In theory though, we shoudl be abel to make use of the dns decoders in the custom vulnerability signatures, however I'm yet to find any decent documentation on the use of the decoders & regular expressions, but will keep looking.

Re: Blocking specific DNS lookups via Custom threats

ericgearhart — Thu, 14 Mar 2013 16:02:25 GMT

markeating@deloitte.co.uk wrote:

^^ that says it all... at my shop we would have liked to take advantage of a custom DNS app as well, but the docs were lacking.

Re: Blocking specific DNS lookups via Custom threats - solved!

markeating — Thu, 14 Mar 2013 23:04:43 GMT

So after a lot of messing around & finally talking to the righ person, have managed to create the following:

A custom app that uses a specific dns name in the signature for identification
A custom threat/vulnerability profile using a dns name in the signature for identification

In both cases, I can use this new custom signature to allow/block traffic successfully 🙂

It turns out that it's quite simple to do really, and I take no credit for figuring it out as the information is on the Palo Alto site (it just wasn't that easy to find). You need to write the pattern match in hex taken from a Wireshark trace under the dns-req-section context as per the details in this link:

I used it last night & had my custom signature working within about 20 minutes of me getting this information.