This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About DNS security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

About DNS security

Go to solution
MRamadanAHafiez
L3 Networker

‎04-19-2021 06:47 AM

Hello Bros,

                I my network and my firewall 3220 setup I have a question regarding the DNS security feature.

If you go through creating an anti-spyware profile, and exactly in the DNS signature what is the difference between DNS signature source "Palo Alto networks content DNS signature sinkhole as an action" and " Palo Alto network DNS security and sinkhole as action"

what are difference between both sections DNS security protection and from license perspective ?

MR
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
nikoolayy1
L6 Presenter

‎04-19-2021 10:00 AM - edited ‎04-19-2021 10:01 AM

The one with "DNS security" in it uses another license and it is not free but provides updates in real time to the DNS signatures  (it is something like Wildfire lisense for file attacks) and the other is the free feature that needs manual  dynamic updates to update the signatures and it will not provide zero day attack defense  (like the antivirus signatures).

 

If you have many DNS issues and have the money for the extra security then maybe you will want the DNS security:

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/dns-sec...

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/dns-security/about-dns-...

View solution in original post

2 REPLIES 2

Go to solution
nikoolayy1
L6 Presenter

‎04-19-2021 10:00 AM - edited ‎04-19-2021 10:01 AM

The one with "DNS security" in it uses another license and it is not free but provides updates in real time to the DNS signatures  (it is something like Wildfire lisense for file attacks) and the other is the free feature that needs manual  dynamic updates to update the signatures and it will not provide zero day attack defense  (like the antivirus signatures).

 

If you have many DNS issues and have the money for the extra security then maybe you will want the DNS security:

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/dns-sec...

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/dns-security/about-dns-...

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to nikoolayy1

‎04-19-2021 02:02 PM

Hello,

DNS security is a big deal with all the threats out there. Here are some things I highly suggest you do:

  1. Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now
  2. Only allow your Domain Controllers or DNS servers to get out for external DNS lookups. Goes along with point 1 above. Everything internal points to your internal DNS/Domain Controllers, and only they can get out to your secure DNS provider.
  3. Enable all security features you are licensed for and apply them to all external and internal policies, you dont need to do URL filtering internally
  4. Follow all best practices, etc.
  5. Keep things simple, and think through them with a diagram.

Just some pointers.

 

Cheers!

  • 1 accepted solution
  • 2982 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks