https://live.paloaltonetworks.com/t5/general-topics/whitelisting-load-balanced-sites-fetch-dns-records-as-json/m-p/244428#M97314 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103867">@Hugh.Kelley</a>,</P> <P>&nbsp;</P> <P>can't comment on dns.google.com or dns-api.org but would like to provide some comments on <A href="https://github.com/PaloAltoNetworks/fqdn-service" target="_blank" rel="nofollow noopener noreferrer">https://github.com/PaloAltoNetworks/fqdn-service</A></P> <UL> <LI>It is a "serverless implementation" (no VM needed). It is likely to cost you 0$ a month unless you share it with a large community of users</LI> <LI>It can resolve many FQDN's at once which means that a single miner is needed</LI> <LI>It can store a history of responses</LI> </UL> <P>Take into account, though, that if you're using PANOS then you better create custom L7 apps (SSL Decrypt + matching the HTTP Host Header or SSL Response Certificate in case you're not decryting) instead of matching based on FQDN. FQDN matching is performed at "sample intervals" (i.e. once an hour) and these FQDN entries behind AWS rotate tipically at 1 minute intervals. That means that you will, probably, fail to match many sessions between sample intervals no matter which DNS service you end up using</P> Wed, 26 Dec 2018 11:37:02 GMT xhoms 2018-12-26T11:37:02Z https://live.paloaltonetworks.com/t5/general-topics/whitelisting-load-balanced-sites-fetch-dns-records-as-json/m-p/244406#M97313 <P>For sites (to be whitelisted) that are behind ever-changing IP ranges (e.g. Amazon load balancer), has anybody used a services like these?&nbsp; &nbsp;</P> <P>&nbsp;</P> <P><A href="https://dns.google.com/resolve?name=www.netflix.com&nbsp;" target="_blank">https://dns.google.com/resolve?name=www.netflix.com&nbsp;</A></P> <P><A href="https://dns-api.org/A/www.netflix.com" target="_blank">https://dns-api.org/A/www.netflix.com</A></P> <P>&nbsp;</P> <P>Is there an existing miner that does DNS lookups?</P> <P>&nbsp;</P> <P>I saw this recommend in another thread but I'm hoping to avoid another VM:</P> <P>&nbsp;</P> <P><A href="https://github.com/PaloAltoNetworks/fqdn-service" target="_blank">https://github.com/PaloAltoNetworks/fqdn-service</A></P> <P>&nbsp;</P> <P>This is the prototype I'm using</P> <P>&nbsp;</P> <PRE>prototypes: dnsLookup:www_netflix_com: class: minemeld.ft.json.SimpleJSON config: age_out: default: null interval: 3600 sudden_death: true attributes: confidence: 100 share_level: green type: IPv4 extractor: Answer[?type == `1`] fields: - name indicator: data prefix: dns source_name: dns.netflix url: https://dns.google.com/resolve?name=www.netflix.com development_status: STABLE indicator_types: - IPv4 node_type: miner tags: - ConfidenceHigh - ShareLevelGreen </PRE> Wed, 26 Dec 2018 05:34:18 GMT https://live.paloaltonetworks.com/t5/general-topics/whitelisting-load-balanced-sites-fetch-dns-records-as-json/m-p/244406#M97313 Hugh.Kelley 2018-12-26T05:34:18Z https://live.paloaltonetworks.com/t5/general-topics/whitelisting-load-balanced-sites-fetch-dns-records-as-json/m-p/244428#M97314 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103867">@Hugh.Kelley</a>,</P> <P>&nbsp;</P> <P>can't comment on dns.google.com or dns-api.org but would like to provide some comments on <A href="https://github.com/PaloAltoNetworks/fqdn-service" target="_blank" rel="nofollow noopener noreferrer">https://github.com/PaloAltoNetworks/fqdn-service</A></P> <UL> <LI>It is a "serverless implementation" (no VM needed). It is likely to cost you 0$ a month unless you share it with a large community of users</LI> <LI>It can resolve many FQDN's at once which means that a single miner is needed</LI> <LI>It can store a history of responses</LI> </UL> <P>Take into account, though, that if you're using PANOS then you better create custom L7 apps (SSL Decrypt + matching the HTTP Host Header or SSL Response Certificate in case you're not decryting) instead of matching based on FQDN. FQDN matching is performed at "sample intervals" (i.e. once an hour) and these FQDN entries behind AWS rotate tipically at 1 minute intervals. That means that you will, probably, fail to match many sessions between sample intervals no matter which DNS service you end up using</P> Wed, 26 Dec 2018 11:37:02 GMT https://live.paloaltonetworks.com/t5/general-topics/whitelisting-load-balanced-sites-fetch-dns-records-as-json/m-p/244428#M97314 xhoms 2018-12-26T11:37:02Z