Is there a way to view and/or log dns queries and responses (outside of anti-spyware rules)? The passive DNS telemetry configuration seems to do what we want but those fqdn to IP mappings are sent to Palo and it doesn't appear that we can view what fqdns resolve to what IPs in the logs. This doesn't appear to be a feature in the dns proxy object either? Is there anything with PAN-OS that supports this? For all queries not just malicious ones.
You can setup a continuos packet capture in the firewall for protocol 17 (udp) and destination port 53, and then check the packet capture when you need this information. If you have excessive DNS traffic through your firewall this can cause increased dataplane CPU utilization, so be careful.
For the DNS Proxy feature in the firewall you can check its cache from the CLI:
> show dns-proxy cache all | match <fqdn>
> show dns-proxy cache filter type RR_A all FQDN <fqdn>
Technically, you could create a custom vulnerability that would match "normal" DNS traffic, set it to Alert for the action and set packet capturing to on. Unless you have plenty of resource overhead available to use on your PA I'm guessing this could be a bad idea for that much packet capturing just the same. It would fill up threat log quota or Extended Threat Pcaps quotea much more rapidly. In the logging then you would get a request source and destination just having to open the PCAP to get the domain record that was requested.
It would be great if there were just a DNS lookup log with the requestor IP included. Perhaps on your DNS server this is done and you can limit DNS lookups to just your DNS server(s) so everyone would need to be pointed there.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!