Palo Alto Networks® provides specialized integrated protection from DNS-based threats with two security subscription options: DNS Security and Advanced DNS Security. These cloud-delivered security subscriptions operate using shared underpinnings with Palo Alto Networks Threat Prevention solutions to provide a comprehensive DNS security solution, and as such, require the presence of an Advanced Threat Prevention or Threat Prevention subscription.

The DNS Security cloud service is designed to protect your organization from a multitude of advanced DNS-based threats. By applying advanced machine learning and predictive analytics to a diverse range of threat intelligence sources, DNS Security rapidly generates enhanced DNS signatures to defend against known malicious DNS categories, as well as real-time analysis of DNS requests to defend your network against newly generated and unknown malicious domains. DNS Security can detect various DNS threats, including DNS tunneling, DNS rebinding attacks, domains created using auto-generation, malware hosts, and many more.

With an active threat prevention solution operating on supported network security platforms, customers can sinkhole DNS requests using a list of domains generated by Palo Alto Networks. These locally-accessed, customizable DNS signature lists are packaged with antivirus and WildFire updates and include the most relevant threats for policy enforcement and protection at the time of publication. For improved coverage against threats using DNS, the DNS Security subscription enables users to access real-time protections using advanced predictive analytics. Using techniques such as DGA/DNS tunneling detection and machine learning, threats hidden within DNS traffic can be proactively identified and shared through an infinitely scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of ever-expanding signatures that have been generated using a multitude of data sources. This allows you to defend against an array of threats using DNS in real-time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and prevention capabilities of the DNS Security service will be available through content releases.

DNS Security subscriptions are available on the following Palo Alto Networks network security platforms:

The Advanced DNS Security service is a complementary subscription offering that operates in conjunction with the DNS Security subscription which enabled access to new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security operating on PAN-OS 11.2 and later releases, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting configuration settings of the DNS infrastructure of an organization in order to redirect the user to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gains the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it the DNS provider’s administrative access, an MiTM attack during the DNS resolution process, or the DNS server itself. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, outdated DNS records allowing attackers to take ownership of the customer’s subdomain.

Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no firewall update. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Advanced DNS Security subscriptions are available on the following Palo Alto Networks network security platforms:

Learn about deploying and monitoring DNS Security and Advanced DNS Security in your network: