How to write a custom app signature that allows only a specific DNS query?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to write a custom app signature that allows only a specific DNS query?

L4 Transporter

We'd like to build a custom app ID that permits only one specific DNS query to make it through... for example, we want wireless clients (which have our Palo Alto as their default gateway) to only query for the DNS A record "vpngateway.example.com"

Has anyone built anything like this? The custom app signature tech note focuses specifically on HTTP... if we could get an example of building a DNS specific custom app signature, that would be awesome

Thanks guys,

Eric

1 accepted solution

Accepted Solutions

L4 Transporter

Just to kind of follow up on this and provide some closure, the way we decided we're going to do this is via PA's DNS proxying... we're going to force proxying on and only allow the one specific domain we want to resolve via DNS to be explicitly resolved to the IP we want that one host record to resolve to. This basically solves our problem in a reasonably elegant way.

View solution in original post

4 REPLIES 4

L1 Bithead

you can use context 'dns-req-section' and \x to start and end hex

bytes for length to construct the domain name in the question like the

example below, however I'm not aware of how to construct a valid

pattern to match case insensitive.

the below will match www.hp.com but not www.HP.COM and so on.

also, if you could match case insensitive someone could use

name/label compression to subvert the pattern match.

set application dns-qname-www.hp.com signature www.hp.com and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern \x03\xwww\x02\xhp\x03\xcom\x0000010001\x

set application dns-qname-www.hp.com signature www.hp.com and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context dns-req-section

set application dns-qname-www.hp.com signature www.hp.com scope protocol-data-unit

set application dns-qname-www.hp.com signature www.hp.com order-free yes

set application dns-qname-www.hp.com signature www.hp.com comment "0001 is type A 0001 is class IN"

set application dns-qname-www.hp.com parent-app dns

L0 Member

Hi Eric,

I'm afraid you might be out of luck here. One of the many differences between DNS and HTTP is that the first one is 1 packet in each direction.

This means in your case you won't be able to have the custom app matched unless DNS as a parent application is allowed but if you do this all DNS requests will be allowed through not just the one you specify in your customer app.

Let's assume you create your custom_dns application where www.hp.com is detected and allow it in a policy from A(client) to B (dns server).

Now, if the default dns application is denied as soon as the firewall detects that this is a DNS request (It does it before the content is inspected) the request will be denied. Application has been detected as dns and there is an deny action associated wit it

On the other hand if the default dns application is allowed when the traffic goes through the firewall the application will shift from dns (the default one) to the custom_dns as soon as the firewall reads the content. So in the logs you'll see a correct match with the custom_dns app you created but being this the mechanism this implies all other dns requests will be allowed as well.

.

Hope this helps to understand the logic.

-Salvo

L4 Transporter

Just to kind of follow up on this and provide some closure, the way we decided we're going to do this is via PA's DNS proxying... we're going to force proxying on and only allow the one specific domain we want to resolve via DNS to be explicitly resolved to the IP we want that one host record to resolve to. This basically solves our problem in a reasonably elegant way.

Hi Eric,

have a look at the post I updated ()- gives details of exactly how to do this via a custom app/custom threat signature.

I've just done this to do the reverse of what you're trying - allow lookups to an entire domain, but block 1 specific dns entry out of the entire domain, so it is possible.

  • 1 accepted solution
  • 5637 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!