Palo Alto Networks DNS Security Review

Mature with good scalability and an easy initial setup


What is our primary use case?

We primarily use the solution for security reasons.

What is most valuable?

Palo Alto has a range of products. They have very secure 600 DNS as well as 100 DNS. They have anti-hacking features which are quite useful. They have virus protection within the firewall.

They have other products that are geared towards protecting the DNS. All of their product line is highly secure with built-in security. You can protect DNS within the firewall as most of the features are built-in. It's not like a product within the firewall. It's already built-in.

The initial setup is very, very straightforward.

The scalability is good.

The stability is excellent and the product is very mature.

What needs improvement?

Every vendor that sells DNS or firewalls needs to be able to protect against DNS look-up attacks and DNS naming hacks. This is true of Palo Alto as well as others.

The IDS and IPS should be built-in. With EDS and IDS, some are proud to have built-in IDS and IPS intrusion protection and intrusion detection as some vendors sell IDS and IPS separately. They shouldn't be separate. Instead of selling two products, it really should just be one.

For how long have I used the solution?

I've been using the solution for about six years at this point. It's been a while.

What do I think about the stability of the solution?

The solution is a very mature product. That's what I like about Palo Alto. They said they don't have breaches on their firewall. There are no bugs or glitches. It doesn't crash or freeze. It's great.

What do I think about the scalability of the solution?

Cisco and Palo Alto, right off the bat, are very scalable. That's why I'm studying cloud computing, as, right now, all of the cloud computing platforms have automation and start with automation. We're going away from humans having to configure routers, switches, stories, and firewalls. Everything is done through automation in the stack as well as through virtualization. Maybe in five years, we'll then have so many Cisco routers engineers, NetApp engineers, who would be mostly working through virtualization and the cloud. 

How are customer service and technical support?

Palo Alto has a very mature library of documentation. That's what I like about Palo Alto. They don't have so many breaches so, and you're dealing with a good mature product. 

You can go and visit the support webpage and check the size of their tech support libraries. If it's huge, then you know you have a product that has, let's say, a lot of incidents, so you maybe want to stay away from it.

Which solution did I use previously and why did I switch?

I'm in the process of certifying for cloud computing, Amazon cloud computing. I'm focusing not so much on hardware, but on the solutions that Amazon has. We deal primarily with Route 53, which is the Amazon product, which has built-in security features within the configuration of Route 53.

I have experience with Cisco, which is pretty easy to set up.

Sonicwall and Sophos I don't use at all.

Checkpoint is not an easy firewall to set up, although is a very good firewall. Checkpoint has also been around for a very long time and it still has instruction sets and comments. It's software-driven, most of the time.

How was the initial setup?

The initial setup is not complex. That's the beauty about Palo Alto. If you set up a firewall, it is very easy and very straightforward. Unlike other vendors, the two firewalls that are easiest to set up are Cisco and Palo Alto. The other vendors are a little bit more work.

What's my experience with pricing, setup cost, and licensing?

I'm more focused on supporting the product, I don't buy it. I go to the webpage and I see prices, however, I don't pay too much attention to the cost. I'm more interested in the product features and doing the work and the support than actually buying the product. 

It's my understanding that they are closely competitive with Cisco, and likely their pricing is on par.

What other advice do I have?

We are customers and end-users.

I'm not sure which version of the solution we're using.

I'm currently during training with new virtual firewalls.

DNS is a very ancient protocol. The protocol 53 and the UCP and so on, and ARP. We need to review that architecture due to the way we do networking is open to hacking. People can poison the cache, and therefore we need to look at a way of doing away with ARP, doing away with the UCP and having, let's say, the address convert automatically into the IP address and do away with IP version 6. IP version 6 was a total mess. Although the protocol works, it consumes too much overhead and it's too much of a fat protocol. It uses 64 bit, 128 bit, hex addressing at the Mac layer and also at the network layer when using hex. 

We need to stick with expanding IP version 4, data in notation. That works at a human level better than working at the network layer. When you use, let's say, IP version 6 it is very difficult to troubleshoot. It's a lot easier to troubleshoot IP version 4, that it's decimal and hex at the network layer. It's a lot easier to identify patterns, easier for the eye to be able to recognize that something is negative or to understand how protocols are working or how routing is working.

Right now, most companies operate with all the DNS. What's surrounding the DNS are the firewalls, intrusion protection and detection, load balancing, fault tolerance et cetera. Other than that, we don't have a secure DNS. That's why we need to reinvent networking. We need to switch to a new method of networking, where we have a truly secure DNS. Without the DNS the internet does not work. That's like having a store open to pirates. DNS is the best thing that has been invented, as far as the internet goes, as that's what allows the browsers to work, that's what allows network solutions to work. Without it we're dead.

I'd rate the solution at an eight out of ten.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Palo Alto Networks, Cisco, Infoblox and others in DNS Security. Updated: May 2021.
512,221 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest