PA service account causing huge root DNS traffic?

Reply
Highlighted
L3 Networker

PA service account causing huge root DNS traffic?

Basically, the traffic monitor is showing DNS traffic going from my DNS server in the trusted zone to the external root DNS (our ISP) in the untrusted zone, and user is the PA's own domain account.

All of it's coming from a domain controller that also has the User-ID agent installed.

I probably fudged something in the settings, because it doesn't look right. Now the PA account is in 1st place, accounting for 40% of all DNS traffic.

Highlighted
L6 Presenter

Re: PA service account causing huge root DNS traffic?

Hi...Please check the 'enable User Identification' setting on the zones and ensure only your trusted zone has it enabled.  We don't want the system to try and ID those IPs on the untrusted zone.  Thanks.

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

Yes, it's set for my trusted zone only. But I'm not sure if I accidentally swapped the trusted/untrusted physical ethernet connections (I have it currently configured as virtual wire and allow all both ways). Could that potentially be the issue?

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

I've disabled the User-ID agent installed on that domain controller, and I don't see the PA domain account doing root DNS lookups anymore. Now it's not showing any user account linked to the root DNS lookup traffic, which I believe is normal. However, I also don't have that DC in the UserID config now.

I have 3 other DC's in the User-ID config, why would this happen on only one DC? They are all in the trusted zone, and the only difference is that the 3 DC's do not have the agent installed.

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

Hey,

But do you still see the root DNS look ups still happening anyway?

The PAN has done an ip-to-user mapping on the PA account and the DNS server, and when it's doing lookups that it's not authoritative for it will go out and get that information.  Since User-ID is enabled for that zone is has grabbed that information from the ip-to-user mapping table and logged it as that user.

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

Yes, root DNS lookups are still happening, from the same DC and the other DCs. But they no longer have the PA service account attached to them (they just show no user account) after I've disabled the UserID agent application on that DC.

Why does the PA generate so much root DNS lookup traffic? What is it looking up that isn't cached on our local DNS servers? I have DNS Packet Capture enabled in the Objects>Anti-Spyware profile, but it's not capturing the DNS packets.

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

Same here. Our solution was to disable "logging" in the Palo Alto User Agent on our DC and then restart the service (no restart, no change) . That made it stop doing DNS lookups worldwide. We noticed the activity when it started hitting countries we have blocked after we think tech support maybe changed it to debug mode.

Highlighted
L3 Networker

Re: PA service account causing huge root DNS traffic?

It's not the PA, I'm assuming you mean the service account and not the device as you have said the root DNS look ups are still coming form the DCs, generating the root DNS lookups it's the DCs.  It has just mapped the PA service account to the DC IP address.

As to why is it going to the root DNS servers as opposed the local DNS servers cache is something you need to investigate locally on those DNS servers. It could that the TTL for the DNS names are very short, it could be a new query that your cache doesn't have and with web apps and services using CDNs these days, you could be bounced all over the place.

If you've enabled DNS packet capture under anti-spyware, it will only log those identified via DNS as malware sites.  You should do a packet capture under Monitor or via the CLI which I think has more options to filter.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!