This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

New Advanced URL Filtering/PANDB Category: Encrypted-DNS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

New Advanced URL Filtering/PANDB Category: Encrypted-DNS

almraza
L2 Linker
‎09-29-2022 07:14 AM

advanced-url-filtering_new-category.jpg

 

Palo Alto Networks is releasing a new category called “Encrypted-DNS” under Advanced URL Filtering. 

 

ACTION: By default, the “Encrypted-DNS category” action is set to "Allow". Palo Alto Networks recommends configuring your URL Filtering security profile(s) to "Block" DNS over HTTPS (DoH) requests if it is not permitted (unsanctioned) within your network. If DoH is already blocked as part of your Decryption and App-ID configuration and no additional action is required (as outlined here: Protecting Organizations in a World of DoH and DoT).

 

What is the “Encrypted-DNS” category?

Unlike traditional DNS, protocols like DNS over HTTPS encrypt DNS requests and responses to ensure privacy and security for end users. Support for DoH is available and is enabled by default on all popular browsers such as Google Chrome and Mozilla Firefox, as well as leading software vendors like Apple and Microsoft. Encrypted-DNS is a new category added in the Advanced URL Filtering subscription to handle DoH traffic.

 

Will the “Encrypted-DNS” category be visible across all PAN-OS versions?

Yes. It is however only supported on PAN-OS 9.1 and above. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the category “Computer-and-internet-info".

 

When will the “Encrypted-DNS” category be available?

The “Encrypted-DNS” category will be visible on the administrator management console beginning October 6th, 2022, although we will not use the category to classify web pages until December 8th, 2022.  

 

When will the “Encrypted-DNS” category be functional?

Starting December 8th, 2022, Palo Alto Networks will start publishing URLs that resolve DoH queries (DoH resolvers). Please ensure that your security policy rules are configured properly for this new category.  

 

Note: The Encrypted-DNS category functionality will only be supported on PAN-OS versions 9.1 onwards. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the “Computer-and-internet-info" category.

 

What is the recommended action for the “Encrypted-DNS” category?

Protocols like DoH encrypt DNS queries and hide the domains requested by a user. By blocking DoH traffic, applications using DoH fall back to regular DNS, allowing organizations to gain visibility and control of their internet traffic.

 

ACTION: Our recommendation is to "Block" Encrypted-DNS traffic in your URL filtering security profiles. 

 

Note: In an upcoming PAN-OS release, the DNS Security subscription will support inspection of DNS over HTTPS traffic. With this support, this new category can be used to enforce decryption of DoH traffic and apply DNS Security inspection. Please stay tuned for further information.

 

 

Additional Information:

For more information on best practices when managing URL Filtering categories, refer to these resources:

URL Filtering Category Recommendations

Complete List of Advanced URL Filtering Categories

 

10 Comments
YEmreSeven
L2 Linker
‎10-07-2022 12:27 AM
‎10-07-2022 12:27 AM

Hi,

 

I just update my lab Palo Alto to version 8626 which has only PAN-DB URL Filtering subscription (not Advanced URL Filtering). And new category not seeing under my URL Filtering Profile(s).

 

Header of this article wroten "New Advanced URL Filtering/PANDB Category: Encrypted-DNS".

 

But it's look like, only cover for Advanced URL Filtering. 

"Palo Alto Networks is releasing a new category called “Encrypted-DNS” under Advanced URL Filtering."

 

So, what should be the action step should we follow who has only PAN-DB URL Filtering Subsription?

 

Edit: with Application and Threats update version 8627 Encrypted-DNS Category start seeing now. Thanks!

boris.kasper
L0 Member
‎10-07-2022 02:15 AM
‎10-07-2022 02:15 AM

Same here,

 

we have a advanced URL subscription, but the new category is not visible too

0 Likes Likes
LindseyPerry
L1 Bithead
‎10-07-2022 07:54 AM
‎10-07-2022 07:54 AM

Same but with Advanced URL filtering.  Not showing on Panorama nor firewalls.

Update:  8626

0 Likes Likes
jpentlin
L0 Member
‎10-07-2022 08:56 AM
‎10-07-2022 08:56 AM

Same here. Update 8626 and no 'encrypted-dns' category in URL filtering.

0 Likes Likes
jpentlin
L0 Member
‎10-07-2022 02:50 PM
‎10-07-2022 02:50 PM

New Content Update released - 8627. Includes the 'encrypted-dns' category in URL filtering now. Thanks!

0 Likes Likes
JayGolf
Community Team Member
‎10-11-2022 04:54 PM
‎10-11-2022 04:54 PM

Hi @LindseyPerry , @boris.kasper ,

 

Which content update release do you have downloaded? If you download 8627, users above are showing the encrypted-DNS category is now showing. 

0 Likes Likes
Suleiman2
L0 Member
‎10-11-2022 09:23 PM
‎10-11-2022 09:23 PM

Hello,

I have content update 8628 and this category appears now on URL filtering but my question is:

 

if it is recommended to set the action as "Block", why the default action in the "default" URL filtering predefined profile is set to "allow" ?

 

Regards

0 Likes Likes
clewis1
L3 Networker
‎10-12-2022 03:55 AM
‎10-12-2022 03:55 AM

I too have always wondered why the default action is Allow for features like this when it is recommended it be set to Block

0 Likes Likes
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
‎10-12-2022 04:56 AM
‎10-12-2022 04:56 AM

Hi @clewis1 ,

You can find similar discussion which could answer your question in here - https://live.paloaltonetworks.com/t5/general-topics/url-set-to-allow-ransomware/m-p/516404#M107236

0 Likes Likes
LindseyPerry
L1 Bithead
‎10-12-2022 06:58 AM
‎10-12-2022 06:58 AM

@JayGolf 

As of this morning we are running Ver 8630, I was on 8626 when I originally posted.  Encrypted-dns was available when I got back into the office Tuesday.

Thanks for your response.

0 Likes Likes
  • 108481 Views
  • 10 comments
  • 2 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks