Blocking specific DNS lookups via Custom threats - solved!

Reply
Not applicable

Blocking specific DNS lookups via Custom threats - solved!


Hi all,

I've got a bit of a challenge that I'm hoping someone may be able to assist me with. We use GloblaProtect (always on) and it's playing havoc with a few of our apps that can access both internal & external servers (eg: Outlook Anywhere, Lync etc..).

The biggest challenge we face is that once GP connects, it is able to resolve the internal DNS entries for those services, and attempts to connect via the vpn. Although we block this traffic, it takes quite a while for the servcies to fail over to use the external access points which can cause user perception issues. The simplest way to get around this is if the client is unable to resolve 3 specific DNS entries on our internal domain, but not block DNS lookups to the whole domain. I believe that we may be able to do this via a custom threat signature, but can't for the life of me get it working & was hoping that someone would be able to help me identify how to write the reg expression & which specific DNS decoder to use as its driving me nuts.

for info, I've seen the other similar thread (https://live.paloaltonetworks.com/message/22931#22931), but not sure it's quite the same - although happy to be told otherwise.

thanks very much,

L4 Transporter

Re: Blocking specific DNS lookups via Custom threats

Are you not able to use the DNS Proxy feature of Palo Alto to write up some static DNS entries, and essentially "force" DNS resolution to specific IP addresses, only on traffic that is coming from your GlobalProtect zone?

P.S. - it's a bit funny that you're referencing my thread, and the suggestion I have is basically based on what I learned from that thread :smileyhappy:

Not applicable

Re: Blocking specific DNS lookups via Custom threats

Thanks,

I guess thats a different way of approaching it - instead of blocking/dropping the specific requests, have static dns entries pointing to the alternate IP's.

I'll have a go, however not sure of the impact due to the use of certificates & encryption of the comms between client & server, so it may break if the client is connecting to something else. It's worth a try though as I'm struggling to get anything else working right now :smileyhappy:

In theory though, we shoudl be abel to make use of the dns decoders in the custom vulnerability signatures, however I'm yet to find any decent documentation on the use of the decoders & regular expressions, but will keep looking.

L4 Transporter

Re: Blocking specific DNS lookups via Custom threats

markeating@deloitte.co.uk wrote:

In theory though, we shoudl be abel to make use of the dns decoders in the custom vulnerability signatures, however I'm yet to find any decent documentation on the use of the decoders & regular expressions, but will keep looking.

^^ that says it all... at my shop we would have liked to take advantage of a custom DNS app as well, but the docs were lacking.

Not applicable

Re: Blocking specific DNS lookups via Custom threats - solved!

So after a lot of messing around & finally talking to the righ person, have managed to create the following:

  • A custom app that uses a specific dns name in the signature for identification
  • A custom threat/vulnerability profile using a dns name in the signature for identification

In both cases, I can use this new custom signature to allow/block traffic successfully :-)

It turns out that it's quite simple to do really, and I take no credit for figuring it out as the information is on the Palo Alto site (it just wasn't that easy to find). You need to write the pattern match in hex taken from a Wireshark trace under the dns-req-section context as per the details in this link:

I used it last night & had my custom signature working within about 20 minutes of me getting this information.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!