Basically, the traffic monitor is showing DNS traffic going from my DNS server in the trusted zone to the external root DNS (our ISP) in the untrusted zone, and user is the PA's own domain account.
All of it's coming from a domain controller that also has the User-ID agent installed.
I probably fudged something in the settings, because it doesn't look right. Now the PA account is in 1st place, accounting for 40% of all DNS traffic.
I've disabled the User-ID agent installed on that domain controller, and I don't see the PA domain account doing root DNS lookups anymore. Now it's not showing any user account linked to the root DNS lookup traffic, which I believe is normal. However, I also don't have that DC in the UserID config now.
I have 3 other DC's in the User-ID config, why would this happen on only one DC? They are all in the trusted zone, and the only difference is that the 3 DC's do not have the agent installed.
But do you still see the root DNS look ups still happening anyway?
The PAN has done an ip-to-user mapping on the PA account and the DNS server, and when it's doing lookups that it's not authoritative for it will go out and get that information. Since User-ID is enabled for that zone is has grabbed that information from the ip-to-user mapping table and logged it as that user.
Yes, root DNS lookups are still happening, from the same DC and the other DCs. But they no longer have the PA service account attached to them (they just show no user account) after I've disabled the UserID agent application on that DC.
Why does the PA generate so much root DNS lookup traffic? What is it looking up that isn't cached on our local DNS servers? I have DNS Packet Capture enabled in the Objects>Anti-Spyware profile, but it's not capturing the DNS packets.
Same here. Our solution was to disable "logging" in the Palo Alto User Agent on our DC and then restart the service (no restart, no change) . That made it stop doing DNS lookups worldwide. We noticed the activity when it started hitting countries we have blocked after we think tech support maybe changed it to debug mode.
It's not the PA, I'm assuming you mean the service account and not the device as you have said the root DNS look ups are still coming form the DCs, generating the root DNS lookups it's the DCs. It has just mapped the PA service account to the DC IP address.
As to why is it going to the root DNS servers as opposed the local DNS servers cache is something you need to investigate locally on those DNS servers. It could that the TTL for the DNS names are very short, it could be a new query that your cache doesn't have and with web apps and services using CDNs these days, you could be bounced all over the place.
If you've enabled DNS packet capture under anti-spyware, it will only log those identified via DNS as malware sites. You should do a packet capture under Monitor or via the CLI which I think has more options to filter.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!