Has anyone done a custom APP to block recursive DNS queries?

cancel
Showing results for 
Search instead for 
Did you mean: 

Has anyone done a custom APP to block recursive DNS queries?

L0 Member

 I've built two signatures for DNS.  One to indicate recursive lookup and not recursive lookup.   When I test,  the app that is evaluated first is triggered.  reverse the order and the formerly 2nd app triggers.   It is like the expressions are not evaluated.

 

Has anyone done this before?

 

I have a case open with paloalto about this, but it has been open for almost a year.

3 REPLIES 3

L3 Networker

what does your signature look like?

L0 Member

I want to block the request traffic that this wireshark display filter would select:

(((dns.flags.response == 0) && (dns.flags.recdesired == 1)) && (dns.flags.opcode == 0)) && (ip.proto == 17)    and only looking at port 53 traffic.

 

mcannady_0-1658171659179.png

 

Just create a 4 conditions that match a string and the specify the text.

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

I think that the dns request header context should do the job:

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

You can also match on a reqex but you will need a reqex that matches 4 strings/words and they all should be in the pact (AND &&) but maybe better just add 4 conditions joined with a ‘AND’ that have the four patters as I said.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!