Large Varying IP Pools for DNS (CB Defense And Firewall Rules[SOLUTION]

L3 Networker

@vsys_remo wrote: 

 So if the client uses this name but connects to an IP that is controlled by an attacked, the firewall will happily allow the connection with the rule in your screenshot.

As soon as I realized how that worked this was my first thought!

Fortunately our DNS is fairly secure (externally anyway).  However if a bad actor got in and started spoofing DNS internally then yes we would have problems.  Also a user that understands the vulnerability would be able to access sites that are blocked.  We do have all of the Security Profiles built and are using all but Data Filtering on this rule.


Unfortunately I don't know that DNS proxy would work internally as we are using split DNS internally for both domain and some site requests.  During our initial configuration Palo Alto implied this was not prefered due to the load it put on the firewall (this may not be correct but it has caused us to avoid it on most of our networks).

“Do not own a computer;
Do not power it on;
and do not use one.”

Morris’s Three Golden Rules of Computer Security

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!