topic Re: DNS logs in Advanced Threat Prevention Discussions

DNS logs

mpochan — Thu, 17 Jan 2019 16:15:54 GMT

Is there a way to view and/or log dns queries and responses (outside of anti-spyware rules)? The passive DNS telemetry configuration seems to do what we want but those fqdn to IP mappings are sent to Palo and it doesn't appear that we can view what fqdns resolve to what IPs in the logs. This doesn't appear to be a feature in the dns proxy object either? Is there anything with PAN-OS that supports this? For all queries not just malicious ones.

Re: DNS logs

mivaldi — Thu, 17 Jan 2019 19:06:06 GMT

You can setup a continuos packet capture in the firewall for protocol 17 (udp) and destination port 53, and then check the packet capture when you need this information. If you have excessive DNS traffic through your firewall this can cause increased dataplane CPU utilization, so be careful.

For the DNS Proxy feature in the firewall you can check its cache from the CLI:

> show dns-proxy cache all | match <fqdn>

> show dns-proxy cache filter type RR_A all FQDN <fqdn>

Re: DNS logs

bspilde — Mon, 24 Jun 2019 21:26:09 GMT

Technically, you could create a custom vulnerability that would match "normal" DNS traffic, set it to Alert for the action and set packet capturing to on. Unless you have plenty of resource overhead available to use on your PA I'm guessing this could be a bad idea for that much packet capturing just the same. It would fill up threat log quota or Extended Threat Pcaps quotea much more rapidly. In the logging then you would get a request source and destination just having to open the PCAP to get the domain record that was requested.

It would be great if there were just a DNS lookup log with the requestor IP included. Perhaps on your DNS server this is done and you can limit DNS lookups to just your DNS server(s) so everyone would need to be pointed there.