DNS traffic exists in nearly every organization, creating an overwhelming ocean of data that security teams often ignore or do not have the tools to properly analyze. Cybercriminals increasingly abuse DNS to mask their Command and Control (CnC) activity in order to deliver additional malware or steal valuable data.

Malicious domains controlled by attackers enable rapid movement of Command and Control channels from point to point, bypassing traditional security controls, such as blacklists or Web reputation.

We provide opt-in passive DNS monitoring, creating a database of malicious domains and associated infrastructure, which we then turn into protections and provide as part of our Threat Prevention subscription.







Continuous Protection Improvements

Passive DNS is an opt-in feature that enables the firewall to act as a DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and prevention capabilities.

Our threat research team uses this intelligence to gain insight into malware propagation and evasion techniques that abuse the DNS system, and they use the information gathered to improve accuracy and prevention capabilities for our customers within PAN-DB URL filtering, DNS-based Command and Control signatures, and WildFire®.

Privacy and Security

Data submitted via Passive DNS Monitoring consists only of domain name to IP address mappings. We retain no record of the source of this data and do not have the ability to associate it with the submitter at a future date.

The data collected includes non-recursive DNS query and response packet payloads, which means the intelligence we receive originates from the local recursive resolver, instead of individual clients, so we collect only what we need for threat research, and potentially sensitive company and employee information never leaves your organization.

7.0 configuration guide for passive DNS