DNS issue due to Proxy-Avoidance-and-Anonymizers software

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS issue due to Proxy-Avoidance-and-Anonymizers software

L0 Member

Hello All,

We observered a Sev 1 issue last week which was related to internet slowness that impacted large number of users . During the issue start time , we observed DNS traffic blocks between our DNS server and URL services.disconnect.me ( Palo Alto firewall was flagging it as Threat)

Regarding this URL – this is related to a browser extension "disconnect me" which is not malicious , this is used to avoid tracking on the internet.

URL: services.disconnect.me

Categories: Proxy-Avoidance-and-Anonymizers

Risk Level: Low-Risk

   

my setup isclient -> internal dns server -> dnsproxy(PAN firewall) -> external dns server

 

Though, the issue was fixed after removing DNS security from my antispyware profile which was called into the DNS rule.

 

I'm trying to understand if this URL/extension or similar Ad blocking/Anti-tracking extension can impact/corrupt the DNS traffic which can eventually choke the network.

2 REPLIES 2

L0 Member

I initially set a rule follwing Palo Alto's best practices using the recommended block or unwanted or malicious URL Catagories. Starting in late 2024, I noticed that iOS devices using PrivateRelay were being blocked by the rule. I had did the following to start allowing the traffic again on guest networks.

1. Create address objects for url's releated directly to Apple PrivateRelay using tags like Apple, URL, PrivateRelay. Group with a Dynamic Group by the tags.

2. Remove dynamic-dns and proxy-avoidance-and-anonymizers from the primary protection rule blocking the PA recommended URL Categories.

3. Clone the primary security rule that included all  the recommended URL catagories. 

4. Add dynamic-dns as the only URL category to block

5. Add a destination address to the new Dynamic Group and tick negate.

6. Clone this rule and change the URL category to proxy-avoidance-and-anonymizers

 

In theory this would allow only those URLs to pass this rule.

 

I am sure there are other methods but this allows a single rule to allow defined urls through this security rule.

Cyber Elite
Cyber Elite

Hello,

Clog the network, not really, but would cause issues such as you experienced. I always recommend using a secure DNS provider and olny allow traffic to it from inside hosts. If you have an internal DNS server, all inside hosts should point to it and the DNS server should point to a secure provider.

 

https://skrzsecurity.net/securedns

 

Regards,

  • 5410 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!