Palo Alto DNS Security - Remote Sites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto DNS Security - Remote Sites

L2 Linker

Hello, 

 

We have a site-to-site hub and spoke vpn setup, Palo Alto being the hub and multivendor spokes.

 

Is it possible that our remote sites are able to utilize the DNS Security feature installed on Hub for DNS Sinkhole?

 

popoymaster_0-1692044119785.png

 

14 REPLIES 14

Cyber Elite
Cyber Elite

Hi @popoymaster ,

 

I don't see why not as long as Internet traffic goes through the hub and your AS security profiles are applied to the security policy rules.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung ,

 

Thanks for your response.

 

You are talking about backhauling the internet traffic to from remote sites to the hub right?

 

I don't think that is the direction our client wants to do it.

 

Thanks, 

Wendell

Cyber Elite
Cyber Elite

Hi @popoymaster ,

 

Then you would need to at least back haul all DNS requests from remote sites to the hub.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung ,

 

This is the part we want really full understanding, so pointing users DNS Server to Palo Alto interface?

 

Will Palo Alto acts as a DNS Server?

 

Thanks, 

Wendell

Cyber Elite
Cyber Elite

Hi @popoymaster ,

 

It is sufficient for the DNS traffic to go through the PA.  You can configure the remote sites to use the DNS servers at the hub.  It is very important that the Anti-Spyware profiles are applied to the traffic.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello all,

 

Just a side note : make sure all DNS queries are seen by the firewall, not only the request on udp/53.

(thinking about DoH / DoT, more info here https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/3...)

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hello @ozheng , @TomYoung ,

 

Since Palo Alto cannot be used as DNS Server, can we just have our Internal DNS placed inside the HQ then forward the query to Palo Alto's DNS Security?

 

popoymaster_0-1692078539699.png

 

Hello Popoymaster,

 

I never said it is not possible 🙂

(on the webUI, in network, you have "DNS Proxy").

And Tom suggested there was no requirement for carrying the DNS service, as long the firewalls inspect the traffic, DNS Security (if licensed) can inspect the queries and sinkhole risky domain names.

 

The issue I raised : if an user (tech-savy) changed the DNS, you lost the control on those traffic.
(and actually, an attacker on a compromised machine can change it as well).

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

@ozheng,

 

That is what exactly we want to implement, to push the traffic from remote sites going to the HUB, and let the Palo Alto do DNS Sinkholing (Licensed).

 

So my question is how? I am thinking to provision a DNS Server in the HUB, then that DNS Server push the DNS Query through PA for inspection.

 

Thanks,

Wendell

ok @popoymaster 

 

I don't see any issue then.

You make sure the traffic is going to the Central site (static default route or advertising the default route over some routing protocol between the central site and the remote sites)

 

And you simply have to set the anti-spyware profile for the traffic (remote site> any) on the PANW firewall.
The DNS Sec is configured in the anti-spyware profile.

Also if you have read the link I shared earlier, you may take measure regarding DoH and DoT.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

@ozheng , 

 

Our VPN concentrator is Fortigate, it has 2 vlans, Internal and Transport.

 

Internal where the DNS Server resides.

Transport is connecting to the Inside interface of the Palo Alto.

 

Now, how is it possible to forward the traffic from Internal DNS Server and point to Palo Alto for DNS Security Filtering?

 

popoymaster_0-1692125007137.png

 

Cyber Elite
Cyber Elite

Hello,

If you are not backhauling all the traffic from the remote offices then you should have all the security features enabled on all of the Palo Alto's. In this case all will be able to perform threat detection etc. Here is a video for secure DNS made a few years ago that will work regardless if you backhaul or dont. Just make sure to use the secure DNS providers IP's for DNS.

https://www.youtube.com/watch?v=ROIAYSEbTuo

Regards,

Thanks @OtakarKlier, great video there.

 

Our client's External DNS (Cisco Umbrella) is expiring soon, so they want to utilize the Palo Alto DNS Security, problem is im having some trouble figuring how to route remote sites to use the Central Site's Palo Alto.

Cyber Elite
Cyber Elite

Hello,

You dont need a license to use the basic features of Umbrella, eg already known bad sites. You just dont get a dashboard and customizable DNS filtering. From my understanding of the topology, not all the sites have Palo Alto devices. In this case, I would recommend a backhaul to the central site and let that device handle all the filtering etc. This is a common practice to save on costs at the remote offices, just increase bandwidth at the central location (bandwidth is cheap compared to all the licensing costs for each site). Also can help if you have any type of regulations you need to adhere to since all sites now have a secure and filtered connection to the internet. Here is what CISA has to say about this topology: https://www.cisa.gov/resources-tools/resources/trusted-internet-connections-tic-30-core-guidance-doc...

Here is another write up about zero trust that you might have a look at: https://skrzsecurity.net/zero-trust

Cheers!

  • 3118 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!