08-15-2020 06:56 AM
Can we configure firewall will allow only one response for one dns request packet. Please suggest
08-15-2020 08:29 AM
I see two possibilities to do this:
08-15-2020 08:46 AM
I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.
08-15-2020 08:48 AM
@Remo Thanks for your reply
I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.
08-15-2020 09:20 AM
Ok, so for example when a client asks for www.google.com you want only one IP as response? If I understood now correctly, then no, this is not possible.
08-17-2020 02:19 PM
Hello,
It might help if we understood the reasoning behind the question, i.e. we want to do this because.....
In addition to enabling DNS-Proxy, please make sure to configure and enable all the security features including the dns sinkhle.
Regards,
08-18-2020 12:57 PM
@OtakarKlier thanks for you reply
As we observed some time users are access yahoo.com instead of this user will also get other response too like shopping site, advertising page etc.. so can we prevent the user to access only yahoo.com rather then add some other DNS query resolution . Please suggest
08-18-2020 02:16 PM
Hello,
I think I am understanding now. If you go to a site like yahoo.com, that person will be seen as going to many different sites and categories. This is due to the nature of the destination site as the main site maybe 1 category, but since the site is dynamic and pulls in other sites to display content, you will see other things, i.e. advertising. So if you block advertising, you will start to see your block page appearing in little places where that particular dynamic content is getting pulled in from.
As you can see from the screen shot there is a blank spot on the right where an 'Ad' is supposed to be displayed. However we block them for several reasons.
Hope that makes sense
08-18-2020 10:52 PM
Just a little correction here: No, we do not want single IP in response of a domain resolution – a single response can have multiple IP addresses. What we want to achieve is, whenever a client requests DNS server for a DNS query Palo Alto should ensure it gets a single response. We basically want to prevent DDOS attacks that are initiated using DNS responses.
08-19-2020 07:17 AM
Hello,
Thanks for that clarification. I would recommend following the Palo Alto best practice and configure a DoS protection policy along with the Zone Protection policy.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOICA0
Regards,
08-19-2020 12:37 PM
@OtakarKlier Thanks for you reply
As the issue is when user send his request to DNS. palolalto resolve one one DNS query rather than i will contact with other DNS traffic also. Some can we pervent for multiple DNS response for single query.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
