https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504339#M105501 <P>Dear all,</P><P>&nbsp;</P><P>we are seeing many DNS alerts for spyware, but we don't have any DNS logs.</P><P>Also, internal hosts can't resolve external FQDNs, so probably most of the requests are coming from the proxy.</P><P>So we are thinking about setting up DNS sink holing with a honey pot.</P><P>Any recommendations what to use as a honey pot so that we can get the most information possible from the client connecting to it?</P><P>&nbsp;</P><P>Thanks and Regards,</P><P>&nbsp; &nbsp;Andreas</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Jun 2022 21:33:18 GMT idelconsulting 2022-06-16T21:33:18Z https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504339#M105501 <P>Dear all,</P><P>&nbsp;</P><P>we are seeing many DNS alerts for spyware, but we don't have any DNS logs.</P><P>Also, internal hosts can't resolve external FQDNs, so probably most of the requests are coming from the proxy.</P><P>So we are thinking about setting up DNS sink holing with a honey pot.</P><P>Any recommendations what to use as a honey pot so that we can get the most information possible from the client connecting to it?</P><P>&nbsp;</P><P>Thanks and Regards,</P><P>&nbsp; &nbsp;Andreas</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Jun 2022 21:33:18 GMT https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504339#M105501 idelconsulting 2022-06-16T21:33:18Z https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504573#M105516 <P>Not a honeypot but Pi-Hole is what I use for both DNS sinkhole and primary DNS server in some cases.&nbsp; I run it in VMware on CentOS8 or on a Raspberry Pi.</P> Fri, 17 Jun 2022 20:25:46 GMT https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504573#M105516 Buck_Smooth 2022-06-17T20:25:46Z https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504969#M105544 <P>Hello,</P> <P>DNS logs are a big deal. Have you looked into the following article to ensure sinkhole setup correctly and logging correctly:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0</A></P> <P>&nbsp;</P> <P>Also I recommend using a secure DNS resolver for anything external.</P> <P>Here is a link to a video I made for a conference about DNS:</P> <P><A href="https://youtu.be/ROIAYSEbTuo" target="_blank">https://youtu.be/ROIAYSEbTuo</A></P> <P>Regards,</P> Mon, 20 Jun 2022 17:12:12 GMT https://live.paloaltonetworks.com/t5/general-topics/honey-pot-recommendation-for-dns-sink-holing/m-p/504969#M105544 OtakarKlier 2022-06-20T17:12:12Z