Has anyone done a custom APP to block recursive DNS queries?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Has anyone done a custom APP to block recursive DNS queries?

L0 Member

 I've built two signatures for DNS.  One to indicate recursive lookup and not recursive lookup.   When I test,  the app that is evaluated first is triggered.  reverse the order and the formerly 2nd app triggers.   It is like the expressions are not evaluated.

 

Has anyone done this before?

 

I have a case open with paloalto about this, but it has been open for almost a year.

4 REPLIES 4

L3 Networker

what does your signature look like?

L0 Member

I want to block the request traffic that this wireshark display filter would select:

(((dns.flags.response == 0) && (dns.flags.recdesired == 1)) && (dns.flags.opcode == 0)) && (ip.proto == 17)    and only looking at port 53 traffic.

 

mcannady_0-1658171659179.png

 

Just create a 4 conditions that match a string and the specify the text.

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

I think that the dns request header context should do the job:

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

You can also match on a reqex but you will need a reqex that matches 4 strings/words and they all should be in the pact (AND &&) but maybe better just add 4 conditions joined with a ‘AND’ that have the four patters as I said.

L6 Presenter

Did you manage to resolve this ? Also as a note you can do app flow debug to see if you are matching the correct app to get the idea if Palo Alto is not matching the wrong app:

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r...

 

Maybe try also switching between DNS UDP to TCP or vice versa as this could be related  to the issue who knows (maybe TCP DNS and UDP DNS are seen differently by the palo alto device) as maybe you will need to use custom app with unknown tcp/udp context (CPU intensive just for info):

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

 

You can play also with using the Palo Alto DNS proxy feature as this may help.

 

  • 3027 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!