This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto DNS Security - Remote Sites

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto DNS Security - Remote Sites

popoymaster
L2 Linker

‎08-14-2023 01:19 PM

Hello, 

 

We have a site-to-site hub and spoke vpn setup, Palo Alto being the hub and multivendor spokes.

 

Is it possible that our remote sites are able to utilize the DNS Security feature installed on Hub for DNS Sinkhole?

 

popoymaster_0-1692044119785.png

 

0 Likes Likes
14 REPLIES 14

TomYoung
Cyber Elite
Cyber Elite

‎08-14-2023 01:47 PM

Hi @popoymaster ,

 

I don't see why not as long as Internet traffic goes through the hub and your AS security profiles are applied to the security policy rules.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

popoymaster
L2 Linker
In response to TomYoung

‎08-14-2023 01:52 PM

Hi @TomYoung ,

 

Thanks for your response.

 

You are talking about backhauling the internet traffic to from remote sites to the hub right?

 

I don't think that is the direction our client wants to do it.

 

Thanks, 

Wendell

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎08-14-2023 02:21 PM

Hi @popoymaster ,

 

Then you would need to at least back haul all DNS requests from remote sites to the hub.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

popoymaster
L2 Linker
In response to TomYoung

‎08-14-2023 02:26 PM

Hi @TomYoung ,

 

This is the part we want really full understanding, so pointing users DNS Server to Palo Alto interface?

 

Will Palo Alto acts as a DNS Server?

 

Thanks, 

Wendell

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎08-14-2023 02:55 PM

Hi @popoymaster ,

 

It is sufficient for the DNS traffic to go through the PA.  You can configure the remote sites to use the DNS servers at the hub.  It is very important that the Anti-Spyware profiles are applied to the traffic.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

ozheng
L4 Transporter
In response to TomYoung

‎08-14-2023 06:53 PM

Hello all,

 

Just a side note : make sure all DNS queries are seen by the firewall, not only the request on udp/53.

(thinking about DoH / DoT, more info here https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/3...)

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

popoymaster
L2 Linker
In response to ozheng

‎08-14-2023 10:50 PM

Hello @ozheng , @TomYoung ,

 

Since Palo Alto cannot be used as DNS Server, can we just have our Internal DNS placed inside the HQ then forward the query to Palo Alto's DNS Security?

 

popoymaster_0-1692078539699.png

 

0 Likes Likes

ozheng
L4 Transporter
In response to popoymaster

‎08-15-2023 12:58 AM

Hello Popoymaster,

 

I never said it is not possible 🙂

(on the webUI, in network, you have "DNS Proxy").

And Tom suggested there was no requirement for carrying the DNS service, as long the firewalls inspect the traffic, DNS Security (if licensed) can inspect the queries and sinkhole risky domain names.

 

The issue I raised : if an user (tech-savy) changed the DNS, you lost the control on those traffic.
(and actually, an attacker on a compromised machine can change it as well).

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

popoymaster
L2 Linker
In response to ozheng

‎08-15-2023 04:02 AM

@ozheng,

 

That is what exactly we want to implement, to push the traffic from remote sites going to the HUB, and let the Palo Alto do DNS Sinkholing (Licensed).

 

So my question is how? I am thinking to provision a DNS Server in the HUB, then that DNS Server push the DNS Query through PA for inspection.

 

Thanks,

Wendell

0 Likes Likes

ozheng
L4 Transporter
In response to popoymaster

‎08-15-2023 06:38 AM

ok @popoymaster 

 

I don't see any issue then.

You make sure the traffic is going to the Central site (static default route or advertising the default route over some routing protocol between the central site and the remote sites)

 

And you simply have to set the anti-spyware profile for the traffic (remote site> any) on the PANW firewall.
The DNS Sec is configured in the anti-spyware profile.

Also if you have read the link I shared earlier, you may take measure regarding DoH and DoT.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

popoymaster
L2 Linker
In response to ozheng

‎08-15-2023 11:46 AM

@ozheng , 

 

Our VPN concentrator is Fortigate, it has 2 vlans, Internal and Transport.

 

Internal where the DNS Server resides.

Transport is connecting to the Inside interface of the Palo Alto.

 

Now, how is it possible to forward the traffic from Internal DNS Server and point to Palo Alto for DNS Security Filtering?

 

popoymaster_0-1692125007137.png

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎08-15-2023 01:22 PM

Hello,

If you are not backhauling all the traffic from the remote offices then you should have all the security features enabled on all of the Palo Alto's. In this case all will be able to perform threat detection etc. Here is a video for secure DNS made a few years ago that will work regardless if you backhaul or dont. Just make sure to use the secure DNS providers IP's for DNS.

https://www.youtube.com/watch?v=ROIAYSEbTuo

Regards,

0 Likes Likes

popoymaster
L2 Linker
In response to OtakarKlier

‎08-15-2023 01:33 PM

Thanks @OtakarKlier, great video there.

 

Our client's External DNS (Cisco Umbrella) is expiring soon, so they want to utilize the Palo Alto DNS Security, problem is im having some trouble figuring how to route remote sites to use the Central Site's Palo Alto.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎08-15-2023 01:43 PM

Hello,

You dont need a license to use the basic features of Umbrella, eg already known bad sites. You just dont get a dashboard and customizable DNS filtering. From my understanding of the topology, not all the sites have Palo Alto devices. In this case, I would recommend a backhaul to the central site and let that device handle all the filtering etc. This is a common practice to save on costs at the remote offices, just increase bandwidth at the central location (bandwidth is cheap compared to all the licensing costs for each site). Also can help if you have any type of regulations you need to adhere to since all sites now have a secure and filtered connection to the internet. Here is what CISA has to say about this topology: https://www.cisa.gov/resources-tools/resources/trusted-internet-connections-tic-30-core-guidance-doc...

Here is another write up about zero trust that you might have a look at: https://skrzsecurity.net/zero-trust

Cheers!

0 Likes Likes
  • 1697 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks