01-17-2019 08:15 AM
Is there a way to view and/or log dns queries and responses (outside of anti-spyware rules)? The passive DNS telemetry configuration seems to do what we want but those fqdn to IP mappings are sent to Palo and it doesn't appear that we can view what fqdns resolve to what IPs in the logs. This doesn't appear to be a feature in the dns proxy object either? Is there anything with PAN-OS that supports this? For all queries not just malicious ones.
01-17-2019 10:23 AM - edited 01-17-2019 11:06 AM
You can setup a continuos packet capture in the firewall for protocol 17 (udp) and destination port 53, and then check the packet capture when you need this information. If you have excessive DNS traffic through your firewall this can cause increased dataplane CPU utilization, so be careful.
For the DNS Proxy feature in the firewall you can check its cache from the CLI:
> show dns-proxy cache all | match <fqdn>
> show dns-proxy cache filter type RR_A all FQDN <fqdn>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!