Discover what’s really driving the shift toward unified security
Discover how geopolitical tensions are fueling advanced cyber campaigns
Is the Quantum Threat Closer Than You Think?
  • Sign In
    • Customer
    • Partner
    • Employee
    • Login to download
    • Join us to become a member
  • EN
  • magnifying glass search icon to open search field
  • Contact Us
  • What's New
  • Get Support
  • Under Attack?
Palo Alto Networks logo
  • Products
  • Solutions
  • Services
  • Partners
  • Company
  • More
  • Sign In
    Sign In
    • Customer
    • Partner
    • Employee
    • Login to download
    • Join us to become a member
  • EN
    Language
  • Contact Us
  • What's New
  • Get support
  • Under Attack?
  • Demos and Trials
Video

Lightboard Series: DNS Security Service - Protecting against malware using DNS

Apr 29, 2019

 

TRANSCRIPT

 

Ashwin Dewan:

Hello my name is Ashwin Dewan. I'm a product manager at Palo Alto Networks and today we're going to talk about DNS, the unique security challenges that it poses and our solution to those challenges, the Palo Alto Network's DNS security service.

 

Ashwin Dewan:

So your first question may be what is DNS and how does it work? You can think of DNS as the phone book for the internet. Let's say a host wants to connect to a website like xyz.com. It'll send a DNS request usually to an internal DNS server. This internal DNS server will forward this request to a public DNS server via a next generation firewall. This public DNS server will respond with a machine usable IP address that the host will use to connect. Something like 1.2.3.4. Once the host receives this response, it'll reach out back through your next generation firewall to connect to the resource and the user can go about their work.

 

Ashwin Dewan:

So as you can see, DNS is necessary to the function of the internet and normal browsing. This generates challenges from a security perspective. DNS can't be blocked and it's really hard to manually monitor.

 

Ashwin Dewan:

So there are a couple of different types of DNS threats. There's both the known and the unknown. Our Unit 42 researchers tell us that 80% of malware that they see uses DNS to establish a command and control channel. For the known we can use a wealth of data to get this, but for the unknown, there's a couple evasive techniques that attackers will use that require more predictive approach. These techniques, one of them is called domain generation algorithms or DGA, and this is when attackers will generate tens of thousands of domains each day and they only have to register one of them to establish the command and control channel.

 

Ashwin Dewan:

Another technique they use is something called DNS tunneling. DNS tunneling is using the DNS channel itself for communication. So what they'll do is set up a name server for a domain that they control and use that to accept and send any requests and responses from the public DNS infrastructure. If you have a host on your network that becomes infected, they can exfiltrate data by breaking it up into chunks and sending those out as DNS requests, which they will then reassemble on their side.

 

Ashwin Dewan:

Our solution to these challenges is the DNS security service cloud. As the firewall sees any DNS requests transited, it will send in parallel a lookup to this cloud. In this cloud we have data for both known and unknown threats. For the known threats we have data from our Unit 42 security researchers from something called passive DNS, from our PNDB URL filtering service, from the Cyber Threat Alliance which is an industry wide consortium for sharing of security information and also for all the millions of samples that run through wildfire each day. We take a look at the network traffic from those sessions and identify malicious domains and put all that data into the DNS security cloud.

 

Ashwin Dewan:

Now for the unknown threats for domain generation algorithms and tunneling, we have to do predictive analytics. So we take machine learning algorithms and train them on this wealth of known good high fidelity DNS data that we have and make a decision within milliseconds to identify domain generation algorithms and DNS tunneling for domains that we've never seen before. For domain generation algorithms we'll look at features like the age of a domain and the entropy or randomness of the domain name. For DNS tunneling we'll look at both the age of the domain and the traffic patterns that we see for this domain across the entire Palo Alto Network's customer base.

 

Ashwin Dewan:

The scale of the cloud is really required to run these algorithms at the speed necessary to block threats in real time. Once the DNS security cloud has come to a verdict decision, it will send that verdict back to the next generation firewall, at which point the next generation firewall will block and drop any further DNS requests to that malicious domain and drop and sinkhole any pending responses. This sinkhole IP is sent back to the host. If the host attempts to make a connection to the sinkhole IP, which it thinks is the attacker's malicious resource, the next generation firewall, since it's inline, can pick up on this traffic and automatically isolate the host from portions in your network as you can define in firewall security policy. At this point, your security team can remediate and take action to clean up the host. The Palo Alto Network's DNS security service is just one part of our security operating platform, which covers threats outside of DNS. To learn more, visit us at paloaltonetworks.com.

Share page on facebook Share page on linkedin Share page by an email
Related Resources

Access a wealth of educational materials, such as datasheets, whitepapers, critical threat reports, informative cybersecurity topics, and top research analyst reports

See all resources

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

Products and Services

  • AI-Powered Network Security Platform
  • Secure AI by Design
  • Prisma AIRS
  • AI Access Security
  • Cloud Delivered Security Services
  • Advanced Threat Prevention
  • Advanced URL Filtering
  • Advanced WildFire
  • Advanced DNS Security
  • Enterprise Data Loss Prevention
  • Enterprise IoT Security
  • Medical IoT Security
  • Industrial OT Security
  • SaaS Security
  • Next-Generation Firewalls
  • Hardware Firewalls
  • Software Firewalls
  • Strata Cloud Manager
  • SD-WAN for NGFW
  • PAN-OS
  • Panorama
  • Secure Access Service Edge
  • Prisma SASE
  • Application Acceleration
  • Autonomous Digital Experience Management
  • Enterprise DLP
  • Prisma Access
  • Prisma Access Browser
  • Prisma SD-WAN
  • Remote Browser Isolation
  • SaaS Security
  • AI-Driven Security Operations Platform
  • Cloud Security
  • Cortex Cloud
  • Application Security
  • Cloud Posture Security
  • Cloud Runtime Security
  • Prisma Cloud
  • AI-Driven SOC
  • Cortex XSIAM
  • Cortex XDR
  • Cortex XSOAR
  • Cortex Xpanse
  • Unit 42 Managed Detection & Response
  • Managed XSIAM
  • Threat Intel and Incident Response Services
  • Proactive Assessments
  • Incident Response
  • Transform Your Security Strategy
  • Discover Threat Intelligence

Company

  • About Us
  • Careers
  • Contact Us
  • Corporate Responsibility
  • Customers
  • Investor Relations
  • Location
  • Newsroom

Popular Links

  • Blog
  • Communities
  • Content Library
  • Cyberpedia
  • Event Center
  • Manage Email Preferences
  • Products A-Z
  • Product Certifications
  • Report a Vulnerability
  • Sitemap
  • Tech Docs
  • Unit 42
  • Do Not Sell or Share My Personal Information
PAN logo
  • Privacy
  • Trust Center
  • Terms of Use
  • Documents

Copyright © 2025 Palo Alto Networks. All Rights Reserved

  • Youtube
  • Podcast
  • Facebook
  • LinkedIn
  • Twitter
  • Select your language