This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Ignite & Activate: How Advanced DNS Security Neutralizes Malicious TDS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
5 min read

Ignite & Activate: How Advanced DNS Security Neutralizes Malicious TDS

aechano
L2 Linker
‎11-17-2025 03:59 AM

kiwi_0-1763380722605.png

 

By: @aechano 

Co-Author: @tbolatiwa 

 

Imagine a trusted employee clicks a legitimate-looking link. In a fraction of a second, an invisible chain of redirects begins. A stealthy, automated system analyzes their device, identifies them as a perfect target, and directs them to a sophisticated, custom-crafted phishing site or a tech-support scam. This isn't random chance; it's a precisely engineered attack powered by a Malicious Traffic Distribution System (TDS).

 

Recent campaigns, such as Parrot TDS, have compromised tens of thousands of websites, weaponizing TDS to deliver malware, phishing pages, and dangerous scams. These threats don't rely on known malware signatures; they hide their intent in the most overlooked part of the network—DNS traffic.

 

Predictive Defense Against Traffic Distribution Systems (TDS)

 

The Traffic Distribution System (TDS) is a sophisticated, backend platform that cybercriminals utilize. It’s designed to evaluate a victim based on factors like their geography, operating system, and browser, then route them to the most profitable malicious landing page.

 

Stages of a Malicious TDS Attack.jpg

Figure 1: Stages of a Malicious TDS Attack

 

Traditional security often fails against malicious TDS for two reasons:

 

  • Selectivity: The TDS acts as a cloaking mechanism, showing a benign page to security tools or researchers, while delivering the malicious payload only to specific, vulnerable targets.
  • DNS as a Covert Channel: Modern TDS uses DNS records, particularly TXT records, to retrieve the next redirection URL or command, hiding sophisticated logic within standard DNS queries. This lets threat actors bypass traditional web filtering and security proxies.

 

The answer to this evasive threat is to introduce a layer of predictive, machine learning-driven security at the DNS layer. Palo Alto Networks Advanced DNS Security utilizes cloud-based AI and deep threat intelligence to identify structural and behavioral anomalies in a TDS network,  neutralizing the attack before the redirection chain can be completed.

 

Advanced DNS Security, powered by Precision AI, works by looking beyond individual domain names to identify the malicious infrastructure itself.

 

  • Topological Analysis: Our cloud-based machine learning models analyze the relationships between domains in a DNS query stream. Malicious TDS infrastructure exhibits unique "topological" characteristics—such as unusually long redirection chains and a high degree of connectivity among rapidly rotating domains (known as Fast Flux). Our models identify this collective, malicious fingerprint, not just a single domain name.

 

  • Real-Time Predictive Blocking: The system leverages a massive, constantly growing threat intelligence pool to apply predictive analytics. This enables it to identify new malicious domains, even those created by Domain Generation Algorithms (DGA) for TDS networks—right after their registration, often before they are activated in an attack.

 

  • Instant, Automated Enforcement: Once a domain is categorized as malicious (including the infrastructure behind a TDS), the protection is instantly delivered to your Next-Generation Firewall. The firewall can sinkhole the malicious DNS query, sending a forged response that redirects the infected client to a safe, controlled IP address. This cuts off the malicious communication channel, stopping the attack instantly.

 

Advanced DNS Security, powered by Precision AI, works by looking beyond individual domain names to identify the malicious infrastructure itself. This includes detecting a broader spectrum of evasive DNS-layer threats, such as domain hijacking, masquerading, domain shadowing, DNS tunneling, and fast-flux infrastructure that attackers use to discreetly redirect victims, hide command and control activity, and bypass traditional security tools.

Step-by-Step Guide: Enabling Advanced DNS Security

 

First things first, ensure that the Advanced DNS Security license is active and the device is running PAN-OS 11.2 or later. While this detection is available for the regular DNS Security license, using the latest PAN-OS release ensures access to the most up-to-date DNS protection capabilities and security enhancements. Once these prerequisites are in place, set the malware category to “sinkhole” to protect your environment against malicious Traffic Distribution System (TDS) techniques and other advanced DNS-layer threats.

 

If Advanced DNS Security is not yet enabled, activating this critical protection is straightforward, whether you're managing your environment through Strata Cloud Manager (SCM) or Panorama.

 

Activate Strata Cloud Manager (SCM) :

 

  1. Navigate: In the SCM UI, go to Manage Configuration > NGFW and Prisma Access.
  2. Select Scope: Choose your desired configuration scope.
  3. Go to: Security Services > DNS Security.
  4. Configure Policy: Select your DNS Security profile and ensure the malware category that encompasses Malicious TDS is set to block or sinkhole. 
  5. Apply Profile to DNS Rule: Attach the DNS Security profile to the appropriate Security Policy Rule that handles DNS traffic and commit the changes.
  6. Save and Push: Click Save, then Push Config to apply the changes.

 

DNS and Advanced DNS Security Category Settings Overview.jpg

Figure 2: DNS and Advanced DNS Security Category Settings Overview

 

Activate on Panorama:

 

  1. Navigate: Go to Objects > Security Profiles > Anti-Spyware.
  2. Select: Choose the DNS Security profile currently in use in your security policies.
  3. Action: Under the DNS Policies tab, review the pre-defined categories.
  4. Set Policy: For the malware category, which encompasses the Malicious TDS Detection, Palo Alto Networks strongly recommends setting the action to Block or Sinkhole for optimal security if not already.
  5. Save and Commit: Click OK to save, and then Commit to apply the changes to your firewall.

 

DNS Security Policy Configuration for Malicious and High-Risk Domains.jpg

Figure 3: DNS Security Policy Configuration for Malicious and High-Risk Domains

 

Once Advanced DNS Security is enabled, your organization gains advanced protection against highly evasive threats, such as malicious TDS, that conventional security methods often miss.

 

Threat Log View for Malicious TDS Detection.jpg

Figure 4: Threat Log View for Malicious TDS Detection

 

When a threat is detected, the Threat Log provides a comprehensive view of the threat. The log details provide in-depth context, including the threat ID, name, and corresponding mapping in the Threat Vault. This empowers your security team with the actionable intelligence they need to quickly respond to the most sophisticated network threats.


To truly safeguard your organization from the most advanced and evasive redirection threats, enabling Advanced DNS Security on your Palo Alto Networks Next-Generation Firewall, SASE, or Advanced DNS Security Resolver (ADNSR) solution is not just recommended; it's essential. Take the next step to unmask the invisible and strengthen your security posture today.

0 Likes Likes
  • 107 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Contributors
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks