What Information is Submitted to the Palo Alto ...

| Palo Alto Networks Live 3/24/15, 5:38 AM

All Places > Knowledge Base > Documents

What Information is Submitted to the Palo

Alto Networks when Enabling the Passive
DNS Feature Version 7

created by achalla on Jun 24, 2014 1:55 PM, last modified by panagent on Jul 4, 2014 12:33 PM

PAN-OS 6.0

Details
Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks
firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in
order to improve threat intelligence and threat prevention capabilities.

The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following
requirements are met:
1. DNS response bit is set
2. DNS truncated bit is not set
3. DNS recursive bit is not set
4. DNS response code is 0 or 3 (NX)
5. DNS question count bigger than 0
6. DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX)
7. DNS query record type are "A,NS,CNAME, AAAA, MX"

To enable the passive DNS monitoring on a Palo Alto Networks firewall go to: Objects > Security Profiles > Anti-
Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:

https://live.paloaltonetworks.com/docs/DOC-7256 Page 1 of 3
What Information is Submitted to the Palo Alto ... | Palo Alto Networks Live 3/24/15, 5:38 AM

owner: achalla

699 Views Categories: Setup, Management & Administration Tags: passive_dns, dns_monitoring

Average User Rating

(2 ratings)

0 Comments

There are no comments on this document.

1.866.320.4788 Privacy Policy Legal Notices Site Index Subscriptions

Copyright 2007-2013 Palo Alto Networks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-7256 Page 2 of 3
What Information is Submitted to the Palo Alto ... | Palo Alto Networks Live 3/24/15, 5:38 AM

https://live.paloaltonetworks.com/docs/DOC-7256 Page 3 of 3