DNS security and cloud lookup

Reply
L4 Transporter

DNS security and cloud lookup

 

With PAN OS 9.0 Does PA do cloud clookup for everydomain 

or 

 

only for domains which are not in DNS sinkhole of Antispyware profile?

 

I was told DNS security is a  part of PAN DB  so when clouds verdict is that particular domain is  bad hows does this info come to PA in real time?

 

I know it comes via Management interface but which security profile or database it uses to update the PA?

 

Community Manager

Re: DNS security and cloud lookup

@MP18 

If a DNS query is sinkholed by ThreatPrevention, it will not need to be looked up by DNS Security. 

DNS Security does cloud lookups for every query it sees (unless the result is already cached) pretty much in the same way URL Filtering works. It is applied in the DNS Signatures  section of the AntiSpyware profile, there is no local database, rather a cache is used and cloud lookups are done through the management interface (or a service route)


Help the community: Like helpful comments and mark solutions
Reaper out
Highlighted
L4 Transporter

Re: DNS security and cloud lookup

Many thanks Reaper.

L4 Transporter

Re: DNS security and cloud lookup

Ok, maybe I need to seek clarification.

 

From the education training courses, it is understood/taught that DNS Security is used in the sinkhole function of the Spyware profile.

I am confused if anyone says DNS Security is sinkholed by Threat Prevention.

It is actually (in my mind) that the DNS Security license is using being used in sinkhole functionality, for the purpose of Threat Prevention. 

 

I also believe that PANW asks customer to enable the Passive DNS Monitoring under Telemetry to find new unsual DNS queries to be sent to WF, to be confirmed that the DNS query is a fast flux domain, and then it pushed down or updated the Malware or Command and Control URL categories in the PAN-DB.

 

Comments accepted.  :P

Community Manager

Re: DNS security and cloud lookup

In the spyware profile there are 2 sinkhole profiles, -one for threat prevention, which is updated through dynamic updates and is basically a list of bad dns queries, -the second uses dynamic lookups through the dns security service They both perform the same function but through different source mechanics Your passive dns comment is correct

Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!