I'm seeing quite a lot of messages logged in the syslog output from my PA VM-100 running PAN-OS 10.0.0:
Aug 19 07:31:29 firewall-1 1,2020/08/19 07:31:29,007051000047085,SYSTEM,general,2560,2020/08/19 07:31:29,,general,,0,0,general,medium,"DNS signature lookup timed out",1461969,0x0,0,0,0,0,,firewall-1,0,0,1970-01-01T10:00:00.000+10:00
What exactly does "DNS signature lookup timed out" mean?
My VM has two local DNS servers configured, which are functioning well and the PA VM has access to do direct external lookups as well if it needs to do so. It is located on the end of a quiet 250/100M internet fibre connection here in Australia, so connectivity and congestion is not an issue.
The DNS Signature Lookup Timeout (ms) value is set to 300 - far far above what should be necessary.
Can anyone explain the traffic flow that might cause this (do these DNS queries go direct, or via configured resolver, and over what transport) ?
If this is an error, how do I go about debugging it to find the root cause?
I would suggest identifying which traffic is causing these errors. Is it legit DNS query being timed out. Worth playing with the timers once more try increasing more, maybe some queries are timing out genuinely.
If it is like hitting a wall again, would suggest getting in touch with Palo TAC. Could be cosmetic bug or genuine misconfiguraton.
Hope that helps,
Can you suggest how I would find out what traffic it is? The log message doesn't indicate much other than a DNS query timed out. I'm assuming it is to do with the DNS Security feature.
Can you or anyone else explain the traffic flow behind this feature? I can't find it documented anywhere.
Hi @nevolex ,
In DNS security, there is a DP timeout for waiting for the DNS security verdict. When a DNS response comes after the timeout and the FW does not have a verdict, this response lets through. If the verdict is received later and indicates the previously let-through domain was malicious, this log is generated.
You could disable DNS security or set actions to allow. A permanent fix should be available in PAN-OS 10.0.10.
If you're already running a newer PAN-OS version then you might be hitting a different issue and I would recommend reaching out to support.
Hope this helps,
I am using version 10.2.4, how do I set actions to allow please?
I currently whitelisted io.dns.service.paloaltonetworks.com, not to use app-id policy for that (I use service routes for palo alto inband traffic) and some of my policies have app-id with no ssl decryption I noticed a few web services stopped working with app-ids, just too hard to fix when you just want to allow all from trust - to untrust zone 🙂
Hi @nevolex ,
You can change the DNS Security actions in the Anti-Spyware profile:
You might want to reach out to support to see if you're hitting the same issue as seen in PAN-OS 10.0 or if you're hitting a different issue entirely.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!