Monitor NXDOMAIN Unknown Answers (Failures)

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Monitor NXDOMAIN Unknown Answers (Failures)

Does anyone know if it is possible to monitor for NXDOMAIN Unknown Answers (Failures) with PanOS 5.0 ?

Would it be a custom signature/application that needs to be created?

Tags (1)
Highlighted
L6 Presenter

I did not hear about any function doing that.

if Nxdomain answers has a common criteria maybe....

Highlighted
L6 Presenter

According to the manual "DNS" is currently not available (in PANOS 5.0) as decoder for custom signatures.

If it were you would be able to create a custom signature that brings you an alert (a log entry) each time a NXDOMAIN answer is seen.

Without the decoder you can still create a custom signature based on the hex-values but then this string must be 7 chars (or something like that) and you will most likely get a bunch of false positives because this string is matched through the whole session and not just in a specific "field".

Highlighted
L4 Transporter

Hello Bengbrewer,

You can create a Custom Vulnerability Signature to look for the HEX values in a DNS Response header part of a packet that has the No Such Name flag (NXDOMAIN).  Below is my custom signature to do just that.

<vulnerability-threat version="6.0.0">

  <entry name="41000">

    <signature>

      <standard>

        <entry name="NXDOMAIN">

          <and-condition>

            <entry name="And Condition 1">

              <or-condition>

                <entry name="Or Condition 1">

                  <operator>

                    <pattern-match>

                      <pattern>\x81830001000000\x</pattern>

                      <context>dns-rsp-header</context>

                    </pattern-match>

                  </operator>

                </entry>

              </or-condition>

            </entry>

          </and-condition>

          <order-free>no</order-free>

          <scope>protocol-data-unit</scope>

        </entry>

      </standard>

    </signature>

    <default-action>

      <alert/>

    </default-action>

    <threatname>NXDOMAIN</threatname>

    <severity>informational</severity>

    <direction>server2client</direction>

    <affected-host>

      <client>yes</client>

      <server>yes</server>

    </affected-host>

  </entry>

</vulnerability-threat>

Hope it helps.

Kind regards,

Jeff

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!