DNS Query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS Query

L4 Transporter

Can we configure firewall will allow only one response for one dns request packet. Please suggest

 

10 REPLIES 10

L7 Applicator

Hi @Joshan_Lakhani 

I see two possibilities to do this:

  1. Configure the DNS proxy feature to only correctly resolve this one dns entry you need (the client/server then needs to have this dns proxy IP configured as DNS server)
  2. Create a custom application signature where you specify the DNS entry that you want to allow

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

@Remo Thanks for your reply

I want to configure like this in cisco dns-guard Like that firewall will allow only one response for one dns request packet. So Can we configure this in our palo alto firewall.

Ok, so for example when a client asks for www.google.com you want only one IP as response? If I understood now correctly, then no, this is not possible.

Hello,

It might help if we understood the reasoning behind the question, i.e. we want to do this because.....

 

In addition to enabling DNS-Proxy, please make sure to configure and enable all the security features including the dns sinkhle.

 

Regards,

@OtakarKlier thanks for you reply

 

As we observed some time users are access yahoo.com instead of this user will also get other response too like shopping site, advertising page etc.. so can we prevent the user to access only  yahoo.com rather then add some other DNS query resolution . Please suggest

Hello,

I think I am understanding now. If you go to a site like yahoo.com, that person will be seen as going to many different sites and categories. This is due to the nature of the destination site as the main site maybe 1 category, but since the site is dynamic and pulls in other sites to display content, you will see other things, i.e. advertising. So if you block advertising, you will start to see your block page appearing in little places where that particular dynamic content is getting pulled in from.

 

As you can see from the screen shot there is a blank spot on the right where an 'Ad' is supposed to be displayed. However we block them for several reasons.

OtakarKlier_0-1597785366518.png

 

 

Hope that makes sense

 

 

@OtakarKlier 

Just a little correction here: No, we do not want single IP in response of a domain resolution – a single response can have multiple IP addresses. What we want to achieve is, whenever a client requests DNS server for a DNS query Palo Alto should ensure it gets a single response. We basically want to prevent DDOS attacks that are initiated using DNS responses.

Hello,

Thanks for that clarification. I would recommend following the Palo Alto best practice and configure a DoS protection policy along with the Zone Protection policy.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOICA0

 

Regards,

@Remo 

@OtakarKlier Thanks for you reply

 

As the issue is when user send his request to DNS. palolalto resolve one one DNS query rather than i will contact with other DNS traffic also. Some can we pervent for multiple DNS response  for single query.

  • 4750 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!