https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27383#M19965 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P><STRONG>Regarding DNS Sinkhole: This is a new feature, will be available on PAN-OS 6.0.</STRONG></P><P></P><P>This feature adds a new option to the anti-spyware profile, allowing an administrator to enable DNS sinkhole for DNS-based spyware signatures.&nbsp; The user specifies the IPs to sinkhole to, and then the user can run reports on that IP to identify infected hosts.&nbsp; The user can also set the address to the loopback address to effectively cut off the communication.</P><P>The sinkhole action, just like the block action for DNS signatures, should be processed before the DNS proxy is processed.&nbsp; Thus, the query never goes through the proxy and sinkhole records are not cached if DNS proxy caching is enabled.</P><P></P><P>DNS Sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic.&nbsp; Sinkhole DNS queries involve forging responses to select DNS queries so that clients on the network connect to a specified host rather than the actual host pointed to by DNS.&nbsp; Infected hosts can then be identified from traffic logs and reports.&nbsp; Any hosts that attempt to connect to the sinkholes host (assumed not to be contacted for any legitimate purpose) is infected with malware.</P><P></P><P>Regarding DNS PROXY, please refer below mentioned documents:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4633">How to Configure DNS Proxy on a Palo Alto Networks Firewall</A></P><P><A href="https://live.paloaltonetworks.com/message/11035">about</A></P><P></P><P>I hope above explanation will help you.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 14 Jan 2014 22:25:30 GMT HULK 2014-01-14T22:25:30Z https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27382#M19964 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Are there any <SPAN style="font-weight: inherit; font-style: inherit; font-family: inherit; text-decoration: underline;">Security</SPAN> benefits to using the current implementation of DNS proxy on the PAN? I have seen on the ver 6.0, a new feature called DNS sinkhole, but I don't think it will require the DNS proxy feature. Watchguard checks DNS headers and a couple of other criteria for DNS based attacks, but I don't see anything in PAN documentation that says the PAN Firewall does anything when used a DNS proxy.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Any thoughts?</P></BODY></HTML> Tue, 14 Jan 2014 22:01:12 GMT https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27382#M19964 craymond 2014-01-14T22:01:12Z https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27383#M19965 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P><STRONG>Regarding DNS Sinkhole: This is a new feature, will be available on PAN-OS 6.0.</STRONG></P><P></P><P>This feature adds a new option to the anti-spyware profile, allowing an administrator to enable DNS sinkhole for DNS-based spyware signatures.&nbsp; The user specifies the IPs to sinkhole to, and then the user can run reports on that IP to identify infected hosts.&nbsp; The user can also set the address to the loopback address to effectively cut off the communication.</P><P>The sinkhole action, just like the block action for DNS signatures, should be processed before the DNS proxy is processed.&nbsp; Thus, the query never goes through the proxy and sinkhole records are not cached if DNS proxy caching is enabled.</P><P></P><P>DNS Sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic.&nbsp; Sinkhole DNS queries involve forging responses to select DNS queries so that clients on the network connect to a specified host rather than the actual host pointed to by DNS.&nbsp; Infected hosts can then be identified from traffic logs and reports.&nbsp; Any hosts that attempt to connect to the sinkholes host (assumed not to be contacted for any legitimate purpose) is infected with malware.</P><P></P><P>Regarding DNS PROXY, please refer below mentioned documents:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4633">How to Configure DNS Proxy on a Palo Alto Networks Firewall</A></P><P><A href="https://live.paloaltonetworks.com/message/11035">about</A></P><P></P><P>I hope above explanation will help you.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 14 Jan 2014 22:25:30 GMT https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27383#M19965 HULK 2014-01-14T22:25:30Z https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27384#M19966 <HTML><HEAD></HEAD><BODY><P>Thanks for the information on the sinkhole function. I am using DNS proxy for a "test" environment, so I have set it up and know how it works, but my question is more on whether the PAN includes any security related functionality when using DNS proxy (especially if using reverse DNS proxy) or if this increases security for the environment. </P></BODY></HTML> Wed, 15 Jan 2014 14:18:15 GMT https://live.paloaltonetworks.com/t5/general-topics/benefits-of-using-dns-proxy/m-p/27384#M19966 craymond 2014-01-15T14:18:15Z