DNS Security

40% More DNS Threat Coverage Than

Any Other Available Solution Business Benefits
• Keep your organization safe from the
The Domain Name System (DNS) is wide open for latest DNS-based threats. Using inline
machine learning, identify and disrupt
attackers. Its ubiquity and high traffic volume make it
the latest attacks that abuse DNS.
easy for adversaries to hide malicious activity. The Palo
• Reduce costs and consolidate
Alto Networks Unit 42 Threat Research team identified vendors with DNS security tools.
that 85% of malware uses DNS to initiate command- Extend your NGFW investment and
save time in operations with a single
and-control (C2) procedures. Attackers can also abuse coordinated network security stack
DNS using a multitude of techniques to deliver malware for all alerts, policies, rule violations,
IDPS, web security, malware analysis,
and exfiltrate data. Unfortunately, security teams often and DNS.
lack basic visibility into how threats use DNS that would • Enjoy the latest security innovations
enable them to respond effectively. Current approaches with no user impact. Built on a
modular, cloud-based architecture,
lack automation; drown you in uncoordinated data DNS Security seamlessly adds new
from independent tools; or require changes to DNS detection, prevention, and analytics
capabilities without requiring
infrastructure that can not only be bypassed, but also reconfiguration, unlike other solutions.
require continual maintenance. It’s time to take back • Optimize your security posture.
control of your DNS traffic. Use your DNS Security Analytics
dashboard to ensure NGFWs with
significant DNS traffic are protected.

Palo Alto Networks | DNS Security | Datasheet 1

DNS Security gives you real-time protection, applying industry-first protections to disrupt attacks
that use DNS. Tight integration with a Palo Alto Networks Next-Generation Firewall (NGFW) gives you
automated protections, prevents attackers from bypassing security measures, and eliminates the need
for independent tools or changes to DNS routing. DNS Security gives your organization a critical new
control point to stop attacks.

The DNS Security Difference

Built in the cloud, DNS Security is a subscription service that works natively with your NGFW to secure
your DNS traffic.
Shared threat intelligence and machine learning (ML) rapidly identify any threats hidden in DNS traffic.
Cloud-based protections are delivered instantly, scale infinitely to all users, and are always up to date.
A purpose-built analytics dashboard provides full visibility into your DNS traffic along with one-click
context for any attack the DNS Security service detects. DNS Security delivers:
• Unparalleled protection from DNS-based threats through groundbreaking inline ML algorithms that
predict and identify new and advanced threats, disrupting attacks.
• Security that can’t be bypassed by changing DNS settings.
• Incredible ease of deployment—simply turn on and manage your subscription through your NGFW.
Don’t worry about rerouting DNS traffic or working through lengthy change management processes.
• Maximized operational efficiency by securing DNS traffic through the Palo Alto Networks platform.

Key Capabilities
Protect Against the Latest and Most Advanced DNS-Based Attacks
Beyond malware, phishing, and other traditional threats, adversaries also exploit DNS to establish
reliable C2, attack hosts inside the corporate network from the internet, perform distributed deni-
al-of-service (DDoS) attacks, and even cause reputational harm by taking over your domains. Modern
DNS-layer security must be able to identify and disrupt these attacks.

Natively Integrated Complete Visibility Comprehensive Coverage DNS-layer attacks

prevented in Q4 2021

1.7 Billion
Malicious domains
blocked
Threat ML-Powered
DNS
Intelligence Detection Engines

DNS Security

105 Million
DGA domains
blocked
Prisma Access NGFW
(Secure Access Service Edge) (Hardware, VM, CN)

38 Million
DNS tunnels
blocked

Branch HQ Data Center Mobile User Public Cloud

Figure 1: Secure your DNS traffic with industry-leading protections

DNS Security | Datasheet 2

Detecting and preventing sophisticated DNS-layer network attacks and data exfiltration techniques
requires ML algorithms that can rapidly analyze DNS traffic and get ahead of threats. It also requires
robust threat intelligence to inform those algorithms and measures designed to protect against specific
attack techniques. Finally, it requires enforcement points to block or sinkhole malicious DNS activity
once identified.
The DNS Security service predicts and stops malicious domains with instant enforcement through the
NGFW, protecting you against automated attacks. Our ML-enabled detection engines (see table 2) solve
key emerging DNS-based attacks, such as ultra-slow DNS tunneling, dangling DNS, and DNS rebind-
ing. DNS Security can even predict new malicious domains right after their registration, before they can
be used against you. DNS Security’s comprehensive, market-leading protections provide you with the
most effective security regardless of DNS settings, configurations, and deployment model.

Stop Known Threats

The DNS Security subscription offers limitless protection against tens of millions of malicious domains,
identifying them with real-time analysis and continuously growing global threat intelligence. Our cloud
database scales with data from a large and ever-expanding threat intelligence sharing community,
adding to Palo Alto Networks sources that include:
• Advanced WildFire malware prevention service to find new C2 domains, file download source do-
mains, and domains in malicious email links.
• URL Filtering to continuously crawl newfound or uncategorized sites for threat indicators.
• Passive DNS and device telemetry to understand domain resolution history seen from thousands of
deployed NGFWs, generating petabytes of data per day.
• Unit 42 threat research to provide human-driven adversary tracking and malware reverse engineer-
ing, including insight from globally deployed honeypots.
• More than 30 third-party sources of threat intelligence to enrich data and ensure you have coverage.

Leverage Category-Based Action

Create policies specific to DNS traffic types. All DNS queries are checked against our scalable cloud
database in real time to determine appropriate enforcement actions. DNS Security uses ML to rap-
idly detect and categorize threats over DNS. Based on those categories, the most effective responses

Table 1: DNS Security Categories

This category includes URLs and domains used by malware and/or compromised systems to
Command and Control (C2) surreptitiously communicate with an attacker’s remote server to receive malicious commands or
exfiltrate data (This includes DNS tunneling detection and DGA detection.).

DNS Security detects exploitative DDNS services by filtering and cross-referencing DNS data
Dynamic DNS (DDNS) from various sources to generate candidate lists which are then further validated to maximize
accuracy.

Malicious domains host and distribute malware and can include websites that attempt to install
Malware
various threats (e.g., executable files, scripts, viruses, drive-by downloads).

Newly registered domains are new, never-registered domains that have been recently added
Newly Registered Domains by a TLD operator or entity. While new domains can be created for legitimate purposes, the
(NRD) vast majority are often used to facilitate malicious activities, such as operating as C2 servers or
distributing malware, spam, PUP/adware.

Phishing domains attempt to lure users into submitting sensitive data, such as personal in-
Phishing formation or user credentials, by masquerading as legitimate websites through phishing or
pharming.

Grayware domains generally do not pose a direct security threat; however, they can facilitate
Grayware vectors of attack, produce various undesirable behaviors, or might simply contain questionable/
offensive content.

Parked domains are typically inactive websites that host limited content, often in the form of
Parked click-through ads, which may generate revenue for the host entity but generally do not contain
content that is useful to the end user.

Proxy Avoidance & Anonymizers Proxy avoidance and anonymizers are services that are used to bypass content filtering policies.

DNS Security | Datasheet 3

are automatically implemented through granular policy-based actions. Set policy to block, alert, or
sinkhole based on categories that include malware, DGA, DNS tunneling, C2, dynamic DNS, or newly
registered domains. With granular categories of DNS traffic (see table 1), administrators can craft
custom policies to handle good, malicious, and suspicious domains independently.

Identify and Quarantine Infected Systems

Use automation to prevent the spread of infection. Automate dynamic response to find infected ma-
chines and quickly respond in policy. When attacks using DNS are identified, security administrators
can automate the process of sinkholing malicious domains on the NGFW to cut off C2, rapidly iden-
tify infected users on the network, and even isolate them. Combining malicious domain sinkholing,
Dynamic Address Groups (DAGs), and logging actions enables automation of detection and response
workflows, saving analysts time by removing the slow and manual processes other solutions require.

Get Insight from DNS Analytics

Give your security personnel the context they need to take action. Threat reporting capabilities allow
deeper insights into threats than ever before, delivering full visibility into DNS traffic with:
• Complete history across any domain via an easy-to-use dashboard to help inform where domains are
coming from, validate what is malicious, and support incident triage and response.
• Context around DNS events that will show you what kind of domains are being queried and with what
frequency, time stamps, passive DNS information for each domain, WHOIS information, and any
associated malware tags.
• Security hygiene to keep track of what security capabilities are enabled by your NGFWs across your
estate, allowing you to quickly eliminate any blind spots.

Inspect All Types of DNS Traffic

Gain visibility into and protect all types of DNS traffic, such as plain-text DNS, DNS over TLS (DoT), and
DNS over HTTPs (DoH), including those going to unknown resolvers.
• Leverage decryption on your firewall to inspect encrypted DNS traffic, such as DoH and DoT.
• Sinkhole and quarantine infected users in your network.
• Leverage AIOps for complete visibility of all your DNS traffic, including insights into trends, all in a
single dashboard.
• Secure all types of DNS traffic including those that are directed to unknown DNS resolvers.

The Power of Palo Alto Networks

Security Subscriptions Operational Benefits
The DNS Security subscription enables you to:
Detect and Prevent Advanced Threats with Cloud- • Deploy with ease. Tight integration with the NGFW
Delivered Security Services platform means you’re simply turning on a service
Today, cyberattacks have increased in volume and sophistication, scal- without having to reroute your DNS traffic to out-
ing to 45,000 variants within 30 minutes, using multiple threat vectors side resolvers that attackers can easily bypass.
or advanced techniques to deliver malicious payloads within your • Get protection without performance impact. Ad-
enterprise. Traditional and disparate security challenges organizations vanced security is seamlessly applied to DNS queries
to protect their users, devices, and applications, creating security gaps, in real time, with no business impact.
increasing management overhead for security teams, and hindering
• Maintain full visibility into DNS traffic. The visual
business productivity with inconsistent access and visibility. Seam-
dashboard gives network security engineers and
lessly integrated with the industry-leading Next-Generation Firewall
SOC analysts alike a fast visual assessment of your
platform, our Cloud-Delivered Security Services use the network effect
organization’s DNS usage.
of 80,000 customers to instantly coordinate intelligence and provide
protections for all threats across all threat vectors. Eliminate coverage • Customize response through DNS categories. Eas-
gaps across all enterprise locations and take advantage of best-in-class ily set up policies in line with your risk profile by
security delivered consistently in a platform, so you can be safe from automating responses based on DNS traffic types.
even the most advanced and evasive threats.

DNS Security | Datasheet 4

 Table 2: Cloud-Delivered Secirity Services
Advanced Threat Prevention Stop known exploits, malware, spyware, and command-and-control (C2) threats while utilizing industry-first
prevention of zero-day attacks – Prevent 60% more unknown injection attacks and 48% more highly evasive
command-and-control traffic than traditional IPS solutions.
Advanced WildFire Ensure files are safe by automatically preventing known, unknown, and highly evasive malware 60x
faster with the industry-largest threat intelligence and malware prevention engine.
Advanced URL Filtering Ensure safe access to the internet and prevent 40% more web-based attacks with the industry’s first
real-time prevention of known and unknown threats, stopping 88% of malicious URLs at least 48
hours before other vendors.
DNS Security Gain 40% more threat coverage and stop 85% of malware that abuses DNS for command and control
and data theft, without requiring changes to your infrastructure.
Enterprise DLP Minimize risk of a data breach, stop out-of-policy data transfers, and enable compliance consistently
across your enterprise, with 2x greater coverage of any cloud-delivered enterprise DLP.
SaaS Security The industry’s only Next-Generation CASB natively integrated into Palo Alto Networks SASE offers
proactive SaaS visibility, comprehensive protection against misconfigurations, real-time data protec-
tion, and best-in-class security.
IoT Security Safeguard every “thing” and implement Zero Trust device security 20x faster with the industry’s
smartest security for smart devices.
AIOps AIOps for NGFW redefines firewall operational experience by empowering security teams to proactive-
ly strengthen security posture and resolve firewall disruptions.

Unit 42 Threat Intelligence

PN
Unified management Simplified operations

WF DNS DLP IoT

Stop 60% more 60x faster Stop 40% 40% more Leading API 2x more 90% devices
zero-day exploits verdicts more threats threat coverage security for SaaS coverage in 48 hours

Known, unknown, Consistent prevention

and evasive threats everywhere in seconds

NGFW (PA, VM, CN) Prisma SASE Prisma Cloud Cortex XDR

Devices Users Applications Data

Figure 2: Detect and prevent advanced threats with our Cloud-Delivered Security Services

DNS Security | Datasheet 5

 Table 3: DNS Security Features

Feature Description

Uses ML-based analysis to identify advanced DNS-based threats (listed under DNS security detec-
ML-Based Inline Protection
tors).

Contains tens of millions of known malicious domains, enabling you to block phishing, m
­ alware, and
Cloud Database
other high-risk categories.

Provides threat reporting capabilities that allow full visibility into DNS traffic, along with the full
DNS Security Analytics
DNS context around security events and traffic trends over time.

Enables you to forge a response to a DNS query for a known malicious domain and cause that mali-
cious domain name to resolve to a definable IP address given to the client. Client attempts to access
DNS Sinkholing
the sinkhole address can be logged and trigger automated actions (e.g., quarantine). This technique
can be used to identify infected hosts on the network.

Allows you to define separate policy actions as well as a log severity level for a specific signature
type. You can create specific security policies based on the nature of a threat (e.g., C2, dynamic
DNS Security Categories
DNS, malware, newly registered domain, phishing, grayware, parked domain, proxy avoidance,
and anonymizers) according to your network security protocols.

DNS Security Detectors

Domain Generation Identifies the use of DGAs, which generate random domains on the fly for malware to use as a way to
Algorithm (DGA) call back to a C2 server.

Dictionary DGA Identifies DGA domains based on dictionary words.

Prevents the use of this technique, which exploits the DNS protocol to tunnel malware and other data
DNS Tunneling
through a client-server model.

Disrupts ultra-low/slow DNS tunnels that spread tunneled data and exploits across multiple domains
Ultra-Slow DNS Tunneling and use very slow rates to evade detection, stealing data or sending additional m
­ alicious payloads
into your network.

Predictive analytics that protect users from connecting to domains that were reserved and left dor-
Strategically Aged Domains
mant for months before use by malicious actors.

Prevents fast flux, a technique cybercriminals use to cycle through bots and DNS records. Fast flux
Fast Flux Domains
networks are used for phishing, malware distribution, scams, and botnet operations.

Compromised Domain Zones Protection from domains surreptitiously added to hacked DNS zones of reputable domains.

Prevents DNS rebinding attacks, which can be used to move laterally and attack services inside the
DNS Rebinding Attacks
corporate network from the internet.

Prevents dangling DNS attacks, which take advantage of stale DNS zone data to take over d
­ omains
Dangling DNS Attacks
and cause reputational harm or launch phishing attacks.

Wildcard DNS Prevents attackers from directing users to malicious domains with the use of a wildcard DNS record.

DNS infiltration Prevents technique that exploit DNS protocol to tunnel malicious payloads into your network.

NXNS Denial-of-Service
Protects users from connecting to domains that can be used to launch DDoS attacks.
Domains

Malicious Newly Registered

Uses predictive analysis to identify domains registered by malicious actors at the time of registration.
Domains (NRD)

DNS Security | Datasheet 6

 Table 4: Privacy and Licensing Summary

Privacy with DNS Security Subscription

Palo Alto Networks has strict privacy and security controls in place to prevent unauthorized ac-
Trust and Privacy cess to sensitive or personally identifiable information. We apply industry-standard best prac-
tices for security and confidentiality. You can find further information in our privacy datasheets.

Licensing and Requirements

To use the Palo Alto Networks DNS Security subscription, you will need:
Requirements • Palo Alto Networks Next-Generation Firewalls running PAN-OS 9.0 or later
• Palo Alto Networks Threat Prevention license

Use DNS Security with Palo Alto Networks Next-Generation Firewalls deployed in any
Recommended Environment internet-facing location, as threats involving malicious domains, tunneling, and other abuse
of DNS require external connectivity.

DNS Security requires a standalone license, delivered as an integrated, cloud-based

DNS Security License ­subscription for Palo Alto Networks Next-Generation Firewalls. It is also available as
part of the Palo Alto Networks Subscription ELA, VM-Series ELA, or Prisma Access.

3000 Tannery Way © 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 parent_ds_dns-security_112222
Support: +1.866.898.9087

www.paloaltonetworks.com