https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/157957#M13 <P>I tried to find an answer for this, but I couldn't find it. If someone has already posted this question, apologies...</P><P>&nbsp;</P><P>I just turned DNS sinkholing and it works as expected for root domains, for example:</P><P>&nbsp;</P><P><STRONG>nslookup kntsv.nl&nbsp;</STRONG>returns the DNS sinkhole IP of 71.19.152.112.</P><P>&nbsp;</P><P>BUT...</P><P>&nbsp;</P><P>If I do an nslookup of any subdomain of kntsv.nl, it returns a valid A record, for example:</P><P>&nbsp;</P><P><STRONG>nslookup testing.kntsv.nl&nbsp;</STRONG>returns the IP of 109.72.85.37.</P><P>&nbsp;</P><P>My question... Why did the dns lookup for the subdomain work but not the root? I would think the Palo would mark *.kntsv.nl as malicious and return with the sinkhole IP.</P><P>&nbsp;</P><P>Thanks in advance for the help.</P> Tue, 23 May 2017 19:28:47 GMT grumpycat 2017-05-23T19:28:47Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/157957#M13 <P>I tried to find an answer for this, but I couldn't find it. If someone has already posted this question, apologies...</P><P>&nbsp;</P><P>I just turned DNS sinkholing and it works as expected for root domains, for example:</P><P>&nbsp;</P><P><STRONG>nslookup kntsv.nl&nbsp;</STRONG>returns the DNS sinkhole IP of 71.19.152.112.</P><P>&nbsp;</P><P>BUT...</P><P>&nbsp;</P><P>If I do an nslookup of any subdomain of kntsv.nl, it returns a valid A record, for example:</P><P>&nbsp;</P><P><STRONG>nslookup testing.kntsv.nl&nbsp;</STRONG>returns the IP of 109.72.85.37.</P><P>&nbsp;</P><P>My question... Why did the dns lookup for the subdomain work but not the root? I would think the Palo would mark *.kntsv.nl as malicious and return with the sinkhole IP.</P><P>&nbsp;</P><P>Thanks in advance for the help.</P> Tue, 23 May 2017 19:28:47 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/157957#M13 grumpycat 2017-05-23T19:28:47Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/158544#M14 When a root domain is malicious, it does not mean that automatically all subdomains are malicious.<BR />As far as I know in the DNS signatures there are only FQDN's and not wildcard entries. Sat, 27 May 2017 10:28:30 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/158544#M14 Remo 2017-05-27T10:28:30Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/160261#M16 FYI, You should be able to create your own External Dynamic block list and add it to your DNS Sinkhole policy and wildcard the sub-domains if you want. Thu, 08 Jun 2017 18:38:08 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-sinkholing-subdomains-of-known-bad-domains/m-p/160261#M16 murphyj 2017-06-08T18:38:08Z