- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-14-2014 02:01 PM
Are there any Security benefits to using the current implementation of DNS proxy on the PAN? I have seen on the ver 6.0, a new feature called DNS sinkhole, but I don't think it will require the DNS proxy feature. Watchguard checks DNS headers and a couple of other criteria for DNS based attacks, but I don't see anything in PAN documentation that says the PAN Firewall does anything when used a DNS proxy.
Any thoughts?
01-14-2014 02:25 PM
Hello Sir,
Regarding DNS Sinkhole: This is a new feature, will be available on PAN-OS 6.0.
This feature adds a new option to the anti-spyware profile, allowing an administrator to enable DNS sinkhole for DNS-based spyware signatures. The user specifies the IPs to sinkhole to, and then the user can run reports on that IP to identify infected hosts. The user can also set the address to the loopback address to effectively cut off the communication.
The sinkhole action, just like the block action for DNS signatures, should be processed before the DNS proxy is processed. Thus, the query never goes through the proxy and sinkhole records are not cached if DNS proxy caching is enabled.
DNS Sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic. Sinkhole DNS queries involve forging responses to select DNS queries so that clients on the network connect to a specified host rather than the actual host pointed to by DNS. Infected hosts can then be identified from traffic logs and reports. Any hosts that attempt to connect to the sinkholes host (assumed not to be contacted for any legitimate purpose) is infected with malware.
Regarding DNS PROXY, please refer below mentioned documents:
How to Configure DNS Proxy on a Palo Alto Networks Firewall
I hope above explanation will help you.
Thanks
01-15-2014 06:18 AM
Thanks for the information on the sinkhole function. I am using DNS proxy for a "test" environment, so I have set it up and know how it works, but my question is more on whether the PAN includes any security related functionality when using DNS proxy (especially if using reverse DNS proxy) or if this increases security for the environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!