This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS issue due to Proxy-Avoidance-and-Anonymizers software

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS issue due to Proxy-Avoidance-and-Anonymizers software

AmitChauhan
L0 Member

‎04-29-2024 03:21 AM

Hello All,

We observered a Sev 1 issue last week which was related to internet slowness that impacted large number of users . During the issue start time , we observed DNS traffic blocks between our DNS server and URL services.disconnect.me ( Palo Alto firewall was flagging it as Threat)

Regarding this URL – this is related to a browser extension "disconnect me" which is not malicious , this is used to avoid tracking on the internet.

URL: services.disconnect.me

Categories: Proxy-Avoidance-and-Anonymizers

Risk Level: Low-Risk

   

my setup isclient -> internal dns server -> dnsproxy(PAN firewall) -> external dns server

 

Though, the issue was fixed after removing DNS security from my antispyware profile which was called into the DNS rule.

 

I'm trying to understand if this URL/extension or similar Ad blocking/Anti-tracking extension can impact/corrupt the DNS traffic which can eventually choke the network.

0 Likes Likes
1 REPLY 1

JohnJakusLW
L0 Member

‎02-24-2025 04:01 PM

I initially set a rule follwing Palo Alto's best practices using the recommended block or unwanted or malicious URL Catagories. Starting in late 2024, I noticed that iOS devices using PrivateRelay were being blocked by the rule. I had did the following to start allowing the traffic again on guest networks.

1. Create address objects for url's releated directly to Apple PrivateRelay using tags like Apple, URL, PrivateRelay. Group with a Dynamic Group by the tags.

2. Remove dynamic-dns and proxy-avoidance-and-anonymizers from the primary protection rule blocking the PA recommended URL Categories.

3. Clone the primary security rule that included all  the recommended URL catagories. 

4. Add dynamic-dns as the only URL category to block

5. Add a destination address to the new Dynamic Group and tick negate.

6. Clone this rule and change the URL category to proxy-avoidance-and-anonymizers

 

In theory this would allow only those URLs to pass this rule.

 

I am sure there are other methods but this allows a single rule to allow defined urls through this security rule.

0 Likes Likes
  • 2845 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks