- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
This blog written by Zachary Malone.
We have had the DNS Security subscription for just over 5 years now, and in that time it has been extremely successful at solving major issues that companies were struggling with such as data leakage via DNS tunneling, domain risks like fast flux, dynamic generation of DNS, and many more. As we gained more and more capabilities, we recognized that certain types of malicious actions, such as DNS Hijacking, could not be resolved with the current Cloud Delivered structure that DNS Security leverages. To handle DNS Hijacking we needed to have a direct inline Machine Learning model running on a PAN-OS device in that path to build a behavioral model of a company's normal DNS activity. Hence Advanced DNS is being released to extend the inline machine learning engine already available with our existing advanced subscription (Threat Prevention, URL Filtering, and WildFire) to support DNS modeling that will protect companies against evolving threats like DNS Hijacking. Advanced DNS Security will unlock additional capabilities for identifying and controlling interactions around misconfigured DNS, DNS Spoofing, and more.
To understand if a DNS record or domain has been hijacked, we must first know how the domain typically acts. We also need to have a mapping of the company’s current DNS domains to know what is in scope (The ML engine will do this discovery and monitoring work automatically, but can also be guided to specific domains). From here the inline ML engine will create a local mapping of the domains, and record details to not only provide a recounting of “What things were like before and after the hijacking” (behavioral analytics) but also provides a method to determine if a domain is properly configured or not so that risky misconfigured domains can have appropriate access policy placed upon them. Advanced DNS Security also brings additional context to DNS Security logging that will improve root cause analysis.
Once the license is installed, operating Advanced DNS Security is quite simple, and getting the details and logs of what it finds is even simpler. Configuration can be as simple as checking two boxes in your Anti-Spyware profile/s, logging the visibility will automatically roll into Dashboard and Threat logs. Simple yet effective protection that everyone can use.
Administrators will find new options to be enabled in their Anti-Spyware profiles once the Advanced DNS subscription has been properly licensed.
Set the domains to analyze for misconfiguration
Specify any public-facing parent domains within your organization that you want Advanced DNS Security to analyze and monitor for the presence of misconfigured domains. Misconfigured domains are inadvertently created by domain owners who point alias records to third-party domains using CNAME, MX, NS record types, using entries that are no longer valid, allowing an attacker to take over the domain by registering the expired or unused domains. (TLDs (top-level domains) and root level domains cannot be added to the DNS Zone Misconfigurations list.)
Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced
DNS Security. DNS signatures (and their associated policies) that are delivered through regular content updates or are part of configured EDLs (external dynamic lists) or DNS exceptions are still applied.
Logs will be rolled into the Threat logging Monitor > Logs > Threat Administrators can filter the logs based on the specific type of Advanced DNS Security domain category, for example ( category-of-threatid eq adns-hijacking )
New Advanced DNS Security Categories
Threat ID of (UTID: 109,004,100).
DNS Misconfiguration domains have three threats IDs, which correspond to three variants of DNS misconfiguration domains types:
dnsmisconfig_zone (UTID: 109,004,200)
dnsmisconfig_zone_dangling (UTID: 109,004,201)
dnsmisconfig_claimable_nx (UTID: 109,004,202)
You can constrain the search by cross-referencing a Threat-ID value that corresponds to a specific DNS misconfiguration domain type.
For example, ( category-of threatid eq adns-dnsmisconfig ) and (threatid eq 109004200), whereby 109004200 indicates the Threat ID of a DNS misconfiguration domain that does not route traffic to an active domain due to a DNS server configuration issue.
Advanced DNS also brings additional context to DNS Security logs, which can be found with the following filters:
Advanced DNS Security Widgets will be added to the existing DNS Security dashboard Dashboards > More Dashboards > DNS Security:
The Command Center in Strata Cloud Manager will also include Advanced DNS details in the Threats -> DNS Security drill down.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |