This guide applies to Palo Alto V9 and above. To access the DNS Security service, you must have a valid Threat Prevention and DNS Security license.
Inside different networks across the world, Canaries communicate seamlessly over DNS with the Canary Console. On a handful of networks with Palo Alto devices, however, Canaries may have some of their DNS traffic blocked by the firewall. This article shows how to exempt Canaries from being blocked by the firewall mistakenly flagging their DNS traffic as malicious.
Palo Alto firewalls have several built-in Threat rules that can trigger DNS tunnelling. The known ones liable to block Canary traffic are:
- DNS Tunnel Data Infiltration Traffic Detection (ID: 18003)
- DNSExfiltrator DNS Tunnel Data Exfiltration Traffic (ID: 18084)
- DNS Tunnel Based Command and Control (ID: 18658)
- Pisloader.Backdoor Command and Control Traffic (ID: 18812)
- DNSpionage Command and Control Traffic (ID: 18823)
If any other DNS tunnelling rules do block Canary traffic they will show up in the firewall logs blocking DNS TXT queries for domains that end in .cnr.io.
The aim of the steps below is to exempt the specific Canaries, by their source IPs, for one of the rules listed above.
In your Palo Alto control panel, navigate to Objects, then Security Profiles and then Anti-Spyware:
Step 1: Open the Anti-Spyware Profile that is currently used by your org and cause the Canary DNS Tunneling alerts (in this screenshot: ‘Org DNS Protection Profile’)
Step 2: Navigate to the Exceptions tab
Step 3: Select 'Show all signature'
Step 4: In the Search bar, enter "DNS Tunnel"
Step 5: Click Enable next to the detection signature which flags the Canary traffic (in this screenshot: ‘DNS Tunnel Data Infiltration Traffic Detection’), then click on the empty rectangle under IP Address Exemptions
Step 6: Select Add, and add the IP addresses of the Canaries
Step 7: Click OK twice, and then Commit
And you're done!
If ever you see that a Canary triggers another tunnelling rule, simply go back to the Anti-Spyware profile created here and add that rule. (If you let us know, we'll update this page.) It's important to note that you have to add the Canary source IP addresses to each rule's IP exemption list individually.