Question 292 - PCNSA discussion

A DNS policy action is a setting in an Anti-Spyware security profile that defines how the firewall handles DNS queries to malicious domains.A malicious domain is a domain name that is associated with a known threat, such as malware, phishing, or botnet1.

There are four possible DNS policy actions: alert, allow, block, and sinkhole1.

The alert action logs the DNS query and allows it to proceed to the intended destination.This action does not prevent hacking attacks, but only notifies the administrator of the potential threat1.

The allow action allows the DNS query to proceed to the intended destination without logging it.This action does not prevent hacking attacks, but only bypasses the DNS security inspection2.

The block action blocks the DNS query and sends a response to the client with an NXDOMAIN (non-existent domain) error code.This action prevents hacking attacks by preventing the client from resolving the malicious domain1.

The sinkhole action redirects the DNS query to a predefined IP address (the sinkhole IP address) that is under the control of the administrator.This action prevents hacking attacks by isolating the client from the malicious domain and allowing the administrator to monitor and remediate the infected host1.

The override action is not a valid DNS policy action, but a setting in an Anti-Spyware security profile that allows the administrator to create exceptions for specific spyware signatures that they want to override the default action or log settings3.

Therefore, the two DNS policy actions that can prevent hacking attacks through DNS queries to malicious domains are block and sinkhole.

References:

1:Enable DNS Security - Palo Alto Networks2:How To Disable the DNS Security Feature from an Anti-Spyware Profile - Palo Alto Networks3:Security Profile: Anti-Spyware - Palo Alto Networks