Passive DNS Monitoring
Passive DNS monitoring enables the firewall to act as
a passive DNS sensor and send DNS information to Palo Alto Networks
for analysis to improve threat intelligence and threat prevention
capabilities. The data collected includes non-recursive DNS query
(that is, the web browser sends a query to a DNS server to translate
a domain to an IP address, and the server returns a response without
querying other DNS servers) and response packet payloads. See
DNS
Overview for more background information about DNS.
The threat intelligence that the firewall collects from passive
DNS monitoring consists solely of domain-to-IP address mappings.
Palo Alto Networks retains no record of the source of this data
and does not have the ability to associate it with the submitter
at a future date. The Palo Alto Networks threat research team uses
passive DNS information to gain insight into malware propagation
and evasion techniques that abuse the DNS system. Information gathered
through this data collection is used to improve PAN-DB URL category
and DNS-based C2 signature accuracy and WildFire malware detection.
The firewall forwards DNS responses only when the following requirements
are met:
DNS response bit is set
DNS truncated bit is not set
DNS recursive bit is not set
DNS response code is 0 or 3 (NX)
DNS question count bigger than 0
DNS Answer RR count is bigger than 0 or if it is 0, the flags
need to be 3 (NX)
DNS query record type are A, NS, CNAME, AAAA, MX