https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-test-dns-security-properly/m-p/272782#M593 <P>In reading up on DNS Security I found that URL's provided for testing in the following document,&nbsp;<A title="Enabling DNS Security" href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-security/enable-dns-security" target="_self">Enabling DNS Security,</A>&nbsp;do not accurately ensure DNS Security feature license is installed and configured. A very accurate indicator of this is that all of those URL's are adequately blocked on a firewall running PAN-OS 8.1.x due to the PAN-DB URL filtering policies most companies would have enabled.</P><P>&nbsp;</P><P>Here is the suggested testing method from the above URL:</P><UL><LI><SPAN class="ph cmd">Test that the policy action is enforced.</SPAN><OL><LI><SPAN class="ph cmd">Access the following test domains to verify that the policy action for a given threat type is being enforced:</SPAN><DIV class="itemgroup info"><UL><LI><DIV class="p">Malware—<A title="" href="http://test-malware.testpanw.com/" target="_blank" rel="noopener">test-malware.testpanw.com</A></DIV></LI><LI><DIV class="p">C2—<A title="" href="http://test-c2.testpanw.com/" target="_blank" rel="noopener">test-c2.testpanw.com</A></DIV></LI><LI><DIV class="p">DGA—<A title="" href="http://test-dga.testpanw.com/" target="_blank" rel="noopener">test-dga.testpanw.com</A></DIV></LI><LI><DIV class="p">DNS Tunneling—<A title="" href="http://test-dnstun.testpanw.com/" target="_blank" rel="noopener">test-dnstun.testpanw.com</A></DIV></LI></UL></DIV></LI></OL></LI></UL><P>So this leads me to the questions...</P><OL><LI>How DO you accurately test that DNS Security is blocking DGA, DNS Tunneling, etc.?</LI><LI>Can the Administrator Guide please be updated to accurately describe the process ensuring proper enablement of the DNS Security advanced feature?</LI></OL><P>BTW, @PANW -&nbsp;Why is the Oilrig signature default action "alert" instead of blocking it? Using a strict profile is pretty essential.</P><P>&nbsp;</P><P>If you have a successful test plan for DNS Security implementation please comment.</P><P>&nbsp;</P><P>Thanks!</P> Mon, 24 Jun 2019 21:01:47 GMT bspilde 2019-06-24T21:01:47Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-test-dns-security-properly/m-p/272782#M593 <P>In reading up on DNS Security I found that URL's provided for testing in the following document,&nbsp;<A title="Enabling DNS Security" href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-security/enable-dns-security" target="_self">Enabling DNS Security,</A>&nbsp;do not accurately ensure DNS Security feature license is installed and configured. A very accurate indicator of this is that all of those URL's are adequately blocked on a firewall running PAN-OS 8.1.x due to the PAN-DB URL filtering policies most companies would have enabled.</P><P>&nbsp;</P><P>Here is the suggested testing method from the above URL:</P><UL><LI><SPAN class="ph cmd">Test that the policy action is enforced.</SPAN><OL><LI><SPAN class="ph cmd">Access the following test domains to verify that the policy action for a given threat type is being enforced:</SPAN><DIV class="itemgroup info"><UL><LI><DIV class="p">Malware—<A title="" href="http://test-malware.testpanw.com/" target="_blank" rel="noopener">test-malware.testpanw.com</A></DIV></LI><LI><DIV class="p">C2—<A title="" href="http://test-c2.testpanw.com/" target="_blank" rel="noopener">test-c2.testpanw.com</A></DIV></LI><LI><DIV class="p">DGA—<A title="" href="http://test-dga.testpanw.com/" target="_blank" rel="noopener">test-dga.testpanw.com</A></DIV></LI><LI><DIV class="p">DNS Tunneling—<A title="" href="http://test-dnstun.testpanw.com/" target="_blank" rel="noopener">test-dnstun.testpanw.com</A></DIV></LI></UL></DIV></LI></OL></LI></UL><P>So this leads me to the questions...</P><OL><LI>How DO you accurately test that DNS Security is blocking DGA, DNS Tunneling, etc.?</LI><LI>Can the Administrator Guide please be updated to accurately describe the process ensuring proper enablement of the DNS Security advanced feature?</LI></OL><P>BTW, @PANW -&nbsp;Why is the Oilrig signature default action "alert" instead of blocking it? Using a strict profile is pretty essential.</P><P>&nbsp;</P><P>If you have a successful test plan for DNS Security implementation please comment.</P><P>&nbsp;</P><P>Thanks!</P> Mon, 24 Jun 2019 21:01:47 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-test-dns-security-properly/m-p/272782#M593 bspilde 2019-06-24T21:01:47Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-test-dns-security-properly/m-p/273942#M602 <P>The steps provided were to show you that the DNS Sinkhole functionality was being actioned/"hit on".</P><P>While I agree that these same sites are probably used in the Content Profile for URL Categorization, testing was done to provide confirmation that DNS sinkhole was working.</P><P>&nbsp;</P><P>I enabled the Spyware profile to use the licensed DNS security feature.</P><P>But, instead of using the default sinkhole.paloaltonetworks.com FQDN, I used a bogus 9.9.9.9 as my sinkhole.</P><P>&nbsp;</P><P>Then I tested the 4 sites.</P><P>&nbsp;</P><P>My traffic was blocked, not because of the URL.&nbsp; In looking at the threat logs, I see the action of sinkhole against the IP of my device.</P><P>For confirmation, I filtered on the Traffic log, and saw 4 hits on a destination IP of 9.9.9.9, which were not there, prior to my testing.</P><P>&nbsp;</P><P>Therefore, the DNS Security feature, along with sinkholing to a different IP, shows/provides me confidence that the DNS security feature worked, before the URL filtering profile (which may well have those 4 sites listed), but Spyware profile is what was triggered.</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Jun 2019 19:35:24 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-test-dns-security-properly/m-p/273942#M602 S.Cantwell 2019-06-28T19:35:24Z