topic Re: DNS Query in General Topics

DNS Query

Joshan_Lakhani — Sat, 15 Aug 2020 13:56:38 GMT

Can we configure firewall will allow only one response for one dns request packet. Please suggest

Re: DNS Query

Remo — Sat, 15 Aug 2020 15:29:04 GMT

Hi @Joshan_Lakhani

I see two possibilities to do this:

Configure the DNS proxy feature to only correctly resolve this one dns entry you need (the client/server then needs to have this dns proxy IP configured as DNS server)
Create a custom application signature where you specify the DNS entry that you want to allow

Re: DNS Query

Joshan_Lakhani — Sat, 15 Aug 2020 15:46:56 GMT

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

Re: DNS Query

Joshan_Lakhani — Sat, 15 Aug 2020 15:48:34 GMT

@Remo Thanks for your reply

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

Re: DNS Query

Remo — Sat, 15 Aug 2020 16:20:07 GMT

Ok, so for example when a client asks for www.google.com you want only one IP as response? If I understood now correctly, then no, this is not possible.

Re: DNS Query

OtakarKlier — Mon, 17 Aug 2020 21:19:43 GMT

Hello,

It might help if we understood the reasoning behind the question, i.e. we want to do this because.....

In addition to enabling DNS-Proxy, please make sure to configure and enable all the security features including the dns sinkhle.

Regards,

Re: DNS Query

Joshan_Lakhani — Tue, 18 Aug 2020 19:57:01 GMT

@OtakarKlier thanks for you reply

As we observed some time users are access yahoo.com instead of this user will also get other response too like shopping site, advertising page etc.. so can we prevent the user to access only yahoo.com rather then add some other DNS query resolution . Please suggest

Re: DNS Query

OtakarKlier — Tue, 18 Aug 2020 21:16:21 GMT

Hello,

I think I am understanding now. If you go to a site like yahoo.com, that person will be seen as going to many different sites and categories. This is due to the nature of the destination site as the main site maybe 1 category, but since the site is dynamic and pulls in other sites to display content, you will see other things, i.e. advertising. So if you block advertising, you will start to see your block page appearing in little places where that particular dynamic content is getting pulled in from.

As you can see from the screen shot there is a blank spot on the right where an 'Ad' is supposed to be displayed. However we block them for several reasons.

Hope that makes sense

Re: DNS Query

Joshan_Lakhani — Wed, 19 Aug 2020 05:52:58 GMT

@OtakarKlier

Just a little correction here: No, we do not want single IP in response of a domain resolution – a single response can have multiple IP addresses. What we want to achieve is, whenever a client requests DNS server for a DNS query Palo Alto should ensure it gets a single response. We basically want to prevent DDOS attacks that are initiated using DNS responses.

Re: DNS Query

OtakarKlier — Wed, 19 Aug 2020 14:17:54 GMT

Hello,

Thanks for that clarification. I would recommend following the Palo Alto best practice and configure a DoS protection policy along with the Zone Protection policy.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOICA0

Regards,

Re: DNS Query

Joshan_Lakhani — Wed, 19 Aug 2020 19:37:20 GMT

@Remo

@OtakarKlier Thanks for you reply

As the issue is when user send his request to DNS. palolalto resolve one one DNS query rather than i will contact with other DNS traffic also. Some can we pervent for multiple DNS response for single query.