https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42659#M31321 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>as far as I understand Anti-Spyware profiles, the DNS options will find DNS lookups to known malware sites. How exactly does this work? Will the actual DNS lookup be blocked or will the client's access to the site be blocked?</P><P></P><P>Quote from the documentation:</P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">Additionally, hosts that perform DNS queries for malware domains will appear in the botnet report. DNS signatures are downloaded as part of the antivirus updates.</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">What if hosts use an internal DNS server? That would result in only the DNS server showing up in the botnet report?</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">Thanks</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P></BODY></HTML> Sat, 01 Jun 2013 13:27:08 GMT cryptochrome 2013-06-01T13:27:08Z https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42659#M31321 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>as far as I understand Anti-Spyware profiles, the DNS options will find DNS lookups to known malware sites. How exactly does this work? Will the actual DNS lookup be blocked or will the client's access to the site be blocked?</P><P></P><P>Quote from the documentation:</P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">Additionally, hosts that perform DNS queries for malware domains will appear in the botnet report. DNS signatures are downloaded as part of the antivirus updates.</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">What if hosts use an internal DNS server? That would result in only the DNS server showing up in the botnet report?</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';">Thanks</SPAN></P><P><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif';"><BR /></SPAN></P></BODY></HTML> Sat, 01 Jun 2013 13:27:08 GMT https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42659#M31321 cryptochrome 2013-06-01T13:27:08Z https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42660#M31322 <HTML><HEAD></HEAD><BODY><P>Hi...The default action is to alert(log) these DNS lookups.&nbsp; You can configure the action for the DNS signature in the anti-spyware profile as seen:</P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/6729_pastedImage_0.png" style="width: 372px; height: 207px;" /></P><P></P><P>Only the DNS query matching the DNS signature will be block. Other DNS query not matching will be allow through.</P><P></P><P>If all external DNS queries are performed by an internal DNS server, then yes the botnet report would show the source as the internal DNS server.&nbsp; Thanks.</P></BODY></HTML> Sun, 02 Jun 2013 15:41:18 GMT https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42660#M31322 rmonvon 2013-06-02T15:41:18Z https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42661#M31323 <HTML><HEAD></HEAD><BODY><P>thanks <A __default_attr="2357" __jive_macro_name="user" class="jive_macro jive_macro_user" data-objecttype="3" href="https://live.paloaltonetworks.com/"></A> - much appreciated. </P></BODY></HTML> Sun, 02 Jun 2013 15:51:23 GMT https://live.paloaltonetworks.com/t5/general-topics/question-on-anti-spyware-dns-signatures/m-p/42661#M31323 cryptochrome 2013-06-02T15:51:23Z