This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DNS logs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS logs

mpochan
L0 Member

‎01-17-2019 08:15 AM

Is there a way to view and/or log dns queries and responses (outside of anti-spyware rules)? The passive DNS telemetry configuration seems to do what we want but those fqdn to IP mappings are sent to Palo and it doesn't appear that we can view what fqdns resolve to what IPs in the logs. This doesn't appear to be a feature in the dns proxy object either? Is there anything with PAN-OS that supports this? For all queries not just malicious ones. 

2 REPLIES 2

mivaldi
L7 Applicator

‎01-17-2019 10:23 AM - edited ‎01-17-2019 11:06 AM

You can setup a continuos packet capture in the firewall for protocol 17 (udp) and destination port 53, and then check the packet capture when you need this information. If you have excessive DNS traffic through your firewall this can cause increased dataplane CPU utilization, so be careful.

 

For the DNS Proxy feature in the firewall you can check its cache from the CLI:

> show dns-proxy cache all | match <fqdn>

 

OR

 

> show dns-proxy cache filter type RR_A all FQDN <fqdn>

 

0 Likes Likes

bspilde
L4 Transporter
In response to mivaldi

‎06-24-2019 02:26 PM

Technically, you could create a custom vulnerability that would match "normal" DNS traffic, set it to Alert for the action and set packet capturing to on. Unless you have plenty of resource overhead available to use on your PA I'm guessing this could be a bad idea for that much packet capturing just the same. It would fill up threat log quota or Extended Threat Pcaps quotea much more rapidly. In the logging then you would get a request source and destination just having to open the PCAP to get the domain record that was requested.

 

It would be great if there were just a DNS lookup log with the requestor IP included. Perhaps on your DNS server this is done and you can limit DNS lookups to just your DNS server(s) so everyone would need to be pointed there.

  • 10922 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks