Palo Alto DNS Security

 

Static bad domain list comes with threat content update (default-paloalto-dns) 

 Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated through advanced analysis.

Both DNS Security and Advanced DNS Security are cloud-delivered security subscriptions

Palo Alto Networks® provides specialized integrated protection from DNS-based threats with two security subscription options: DNS Security and Advanced DNS Security.

These cloud-delivered security subscriptions  require the presence of an Advanced Threat Prevention or Threat Prevention subscription.

By applying advanced machine learning and predictive analytics to a diverse range of threat intelligence sources, DNS Security rapidly generates enhanced DNS signatures to defend against known malicious DNS categories, as well as real-time analysis of DNS requests to defend your network against newly generated and unknown malicious domains. DNS Security can detect various DNS threats, including DNS tunneling, DNS rebinding attacks, domains created using auto-generation, malware hosts, and many more.

Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Advance DNS security requires DNS Security License, query cloud

The Advanced DNS Security service is a complementary subscription offering that operates in conjunction with the DNS Security subscription which enabled access to new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time.

The Advanced DNS Security service is a complementary subscription offering that operates in conjunction with the DNS Security subscription which enabled access to new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time.

 regular DNS security works somewhat like URL filtering where it categorizes a record's FQDN as good or bad

A-DNS will go a little further and also inspect the record itself to see if there are any markers that could indicate a problem:

Flightsim

https://github.com/alphasoc/flightsim

flightsim is an application which generates malicious network traffic for security

teams to evaluate security controls (e.g. firewalls) and ensure that monitoring tools

are able to detect malicious traffic.

Test URLs:

Malware - test-malware.testpanw.com
C2 - test-c2.testpanw.com
DGA - test-dga.testpanw.com
DNS Tunneling - test-dnstun.testpanw.com

More test domains:

https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/dns-security-test-domains

A domain generation algorithm (DGA) is a program that generates large numbers of new domain names. Cybercriminals and botnet operators use domain generation algorithms to frequently change the domains they use to launch malware attacks.

Besides PA provided bad DNS list, EDL can be created

AV includes the top c2 threats that Palo threat hunting teams see. AV is updated every 24 hours. There is a finite amount of domains that can exist in these updates and also a limit to what firewalls can handle.

DNS sub can overlap with coverage of domains that might exist in AV, but it's infinitely scalable. Any new domains that are found to be suspicious or malicious can be instantly blocked through the firewall since dns queries are being bounced up to Palo cloud. AV will be top c2 domains, url filtering will cover web get/post/put stuff, and dns will cover from the dns request before anything else will hit. All subs might overlap somewhat, but dns will be the broadest cover of all subs for blocking bad guy domains if that makes sense.