This blog written by Zachary Malone. 

What's the Concept and Problem We Are Fixing?

We have had the DNS Security subscription for just over 5 years now, and in that time it has been extremely successful at solving major issues that companies were struggling with such as data leakage via DNS tunneling, domain risks like fast flux, dynamic generation of DNS, and many more. As we gained more and more capabilities, we recognized that certain types of malicious actions, such as DNS Hijacking, could not be resolved with the current Cloud Delivered structure that DNS Security leverages. To handle DNS Hijacking we needed to have a direct inline Machine Learning model running on a PAN-OS device in that path to build a behavioral model of a company's normal DNS activity. Hence Advanced DNS is being released to extend the inline machine learning engine already available with our existing advanced subscription (Threat Prevention, URL Filtering, and WildFire) to support DNS modeling that will protect companies against evolving threats like DNS Hijacking. Advanced DNS Security will unlock additional capabilities for identifying and controlling interactions around misconfigured DNS, DNS Spoofing, and more. 

How Does That Work?

To understand if a DNS record or domain has been hijacked, we must first know how the domain typically acts. We also need to have a mapping of the company’s current DNS domains to know what is in scope (The ML engine will do this discovery and monitoring work automatically, but can also be guided to specific domains). From here the inline ML engine will create a local mapping of the domains, and record details to not only provide a recounting of “What things were like before and after the hijacking” (behavioral analytics) but also provides a method to determine if a domain is properly configured or not so that risky misconfigured domains can have appropriate access policy placed upon them. Advanced DNS Security also brings additional context to DNS Security logging that will improve root cause analysis.

What Does This Mean for Admin / Ops Teams?

Once the license is installed, operating Advanced DNS Security is quite simple, and getting the details and logs of what it finds is even simpler. Configuration can be as simple as checking two boxes in your Anti-Spyware profile/s, logging the visibility will automatically roll into Dashboard and Threat logs. Simple yet effective protection that everyone can use.

Initial Configuration

Administrators will find new options to be enabled in their Anti-Spyware profiles once the Advanced DNS subscription has been properly licensed.

1. Select an existing Anti-Spyware security profile or Add a new one (Objects > Security Profiles > Anti-Spyware). 
2. Select your Anti-Spyware security profile and then go to DNS Policies. 
3. For each Advanced DNS Security domain category, specify a Log Severity and Policy Action to take when a domain type is detected using a corresponding analysis engine. There are currently two analysis engines available: Dns Misconfiguration Domains and Hijacking Domains. 

(Optional Settings) 

Set the domains to analyze for misconfiguration

Specify any public-facing parent domains within your organization that you want Advanced DNS Security to analyze and monitor for the presence of misconfigured domains. Misconfigured domains are inadvertently created by domain owners who point alias records to third-party domains using CNAME, MX, NS record types, using entries that are no longer valid, allowing an attacker to take over the domain by registering the expired or unused domains. (TLDs (top-level domains) and root level domains cannot be added to the DNS Zone Misconfigurations list.)

1. Select an Anti-Spyware security profile (Objects > Security Profiles > Anti-Spyware) and go to DNS Policies. 
2. In the DNS Zone Misconfigurations section, add public-facing parent domains with an optional description to assist you in identifying domain usage or ownership within your organization.

Set the signature lookup timeout

Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced

DNS Security. DNS signatures (and their associated policies) that are delivered through regular content updates or are part of configured EDLs (external dynamic lists) or DNS exceptions are still applied. 

1. Select Device > Setup > Content-ID > Advanced DNS Security. 
2. Specify an updated maximum Advanced DNS signature lookup timeout setting in milliseconds. The default is 100ms and is the recommended setting. 

Monitoring and Dashboards

Logs will be rolled into the Threat logging Monitor > Logs > Threat Administrators can filter the logs based on the specific type of Advanced DNS Security domain category, for example ( category-of-threatid eq adns-hijacking )

New Advanced DNS Security Categories 

• DNS Hijacking—adns-hijacking 

Threat ID of (UTID: 109,004,100). 

• DNS Misconfiguration—adns-dnsmisconfig 

DNS Misconfiguration domains have three threats IDs, which correspond to three variants of DNS misconfiguration domains types: 

dnsmisconfig_zone (UTID: 109,004,200)

dnsmisconfig_zone_dangling (UTID: 109,004,201) 

dnsmisconfig_claimable_nx (UTID: 109,004,202) 

You can constrain the search by cross-referencing a Threat-ID value that corresponds to a specific DNS misconfiguration domain type. 

For example, ( category-of threatid eq adns-dnsmisconfig ) and (threatid eq 109004200), whereby 109004200 indicates the Threat ID of a DNS misconfiguration domain that does not route traffic to an active domain due to a DNS server configuration issue. 

Advanced DNS also brings additional context to DNS Security logs, which can be found with the following filters:

• DNS —adns-benign 
• Malware Domains —adns-malware 
• Command and Control Domains—adns-c2
• Phishing Domains—adns-phishing 
• Dynamic DNS Hosted Domains—adns-ddns 
• Newly Registered Domains—adns-new-domain 
• Grayware Domains—adns-grayware 
• Parked Domains—adns-parked 
• Proxy Avoidance and Anonymizers—adns-proxy 
• Ad Tracking Domains—adns-adtracking

Advanced DNS Security Widgets will be added to the existing DNS Security dashboard Dashboards > More Dashboards > DNS Security:

• Misconfigured Domains—View a list of non-resolvable domains associated with the user specified public-facing parent domain(s). For each entry, there is a misconfiguration reason and a traffic hit count based on the source IP. 

• Hijacked Domains—View a list of hijacked domains as determined by Advanced DNS Security. For each entry, there is a categorization reason and a traffic hit count based on the source IP.

The Command Center in Strata Cloud Manager will also include Advanced DNS details in the Threats -> DNS Security drill down.

Where Can I Go To Learn More?

DNS Hijacking Overview Blog