01-19-2024 07:17 AM
We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.
We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.
Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.
We have been working with the TAC since yesterday, and it seems no luck on that.
Thank you
02-22-2024 08:02 PM - edited 02-27-2024 07:43 PM
@DerejeBallSportsGear@Dereje wrote:
We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.
We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.
Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.
We have been working with the TAC since yesterday, and it seems no luck on that.
Thank you
Hello,
It seems that you are experiencing a known issue with the DNS Security feature in PAN-OS 10.1.11-h4. According to the Palo Alto Networks Knowledge Base, there is a bug that causes the DNS Security to incorrectly sinkhole domains that are in the allow list of the DNS policy. This bug affects the VM-Series firewalls that are configured as DNS proxies and use external dynamic lists (EDLs) of type domain in the DNS policy.
The workaround for this issue is downgrade the PAN - OS version 10.1,10 or earlier or to upgrade to 10.1.12 or later, which have fixed this bug. Alternatively, you can disable the DNS Security feature on the VM-Series firewalls until you can upgrade or downgrade the PAN-OS version.
I hope this helps to understand and resolve the issue.
Best regards,
Nicholas185Smith
02-22-2024 08:02 PM - edited 02-27-2024 07:43 PM
@DerejeBallSportsGear@Dereje wrote:
We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.
We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.
Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.
We have been working with the TAC since yesterday, and it seems no luck on that.
Thank you
Hello,
It seems that you are experiencing a known issue with the DNS Security feature in PAN-OS 10.1.11-h4. According to the Palo Alto Networks Knowledge Base, there is a bug that causes the DNS Security to incorrectly sinkhole domains that are in the allow list of the DNS policy. This bug affects the VM-Series firewalls that are configured as DNS proxies and use external dynamic lists (EDLs) of type domain in the DNS policy.
The workaround for this issue is downgrade the PAN - OS version 10.1,10 or earlier or to upgrade to 10.1.12 or later, which have fixed this bug. Alternatively, you can disable the DNS Security feature on the VM-Series firewalls until you can upgrade or downgrade the PAN-OS version.
I hope this helps to understand and resolve the issue.
Best regards,
Nicholas185Smith
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
