DNS Query

Reply
Highlighted
L4 Transporter

DNS Query

Can we configure firewall will allow only one response for one dns request packet. Please suggest

 

Highlighted
Cyber Elite

Hi @Joshan_Lakhani 

I see two possibilities to do this:

  1. Configure the DNS proxy feature to only correctly resolve this one dns entry you need (the client/server then needs to have this dns proxy IP configured as DNS server)
  2. Create a custom application signature where you specify the DNS entry that you want to allow
Highlighted
L4 Transporter

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

Highlighted
L4 Transporter

@vsys_remo Thanks for your reply

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

Cyber Elite

Ok, so for example when a client asks for www.google.com you want only one IP as response? If I understood now correctly, then no, this is not possible.

Highlighted
Cyber Elite

Hello,

It might help if we understood the reasoning behind the question, i.e. we want to do this because.....

 

In addition to enabling DNS-Proxy, please make sure to configure and enable all the security features including the dns sinkhle.

 

Regards,

Highlighted
L4 Transporter

@OtakarKlier thanks for you reply

 

As we observed some time users are access yahoo.com instead of this user will also get other response too like shopping site, advertising page etc.. so can we prevent the user to access only  yahoo.com rather then add some other DNS query resolution . Please suggest

Highlighted
Cyber Elite

Hello,

I think I am understanding now. If you go to a site like yahoo.com, that person will be seen as going to many different sites and categories. This is due to the nature of the destination site as the main site maybe 1 category, but since the site is dynamic and pulls in other sites to display content, you will see other things, i.e. advertising. So if you block advertising, you will start to see your block page appearing in little places where that particular dynamic content is getting pulled in from.

 

As you can see from the screen shot there is a blank spot on the right where an 'Ad' is supposed to be displayed. However we block them for several reasons.

OtakarKlier_0-1597785366518.png

 

 

Hope that makes sense

 

 

Highlighted
L4 Transporter

@OtakarKlier 

Just a little correction here: No, we do not want single IP in response of a domain resolution – a single response can have multiple IP addresses. What we want to achieve is, whenever a client requests DNS server for a DNS query Palo Alto should ensure it gets a single response. We basically want to prevent DDOS attacks that are initiated using DNS responses.

Highlighted
Cyber Elite

Hello,

Thanks for that clarification. I would recommend following the Palo Alto best practice and configure a DoS protection policy along with the Zone Protection policy.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOICA0

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!