topic DNS sinkhole , some questions in General Topics

DNS sinkhole , some questions

DavidMankivsky — Thu, 13 Jun 2024 08:16:20 GMT

I'm a SOC analyst, and we receive firewall logs regarding DNS sinkhole alerts. I'm trying to understand them better.

I have received multiple logs of this type, and I want to make sure I understand them correctly.

In this log, the domain that was queried was "s.w.org," right? I received multiple logs, and "generic:sr7pv7n5x.com" was present in all of them after the domain. What does this represent?

Also, does the sinkhole work only based on known databases of domains that have been flagged as malicious? Or will it also flag domains that appear suspicious, like "3123fsda11.xyz"?

Thank you so much; I appreciate it.

one of the logs we received :

<12>Jun 10 12:55:39 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:55:39,026701011826,THREAT,spyware,2816,2024/06/10 12:55:39,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:55:39,457116,1,51705,53,0,0,0x2000,udp,sinkhole,"s.w.org",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350092,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:55:39.509+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic

<12>Jun 10 12:57:03 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:57:03,026701011826,THREAT,spyware,2816,2024/06/10 12:57:03,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:57:03,730181,1,62138,53,0,0,0x2000,udp,sinkhole,"i.ytimg.com",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350559,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:57:03.901+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic

Re: DNS sinkhole , some questions

JayGolf — Thu, 13 Jun 2024 18:57:31 GMT

Hi @DavidMankivsky ,

The functionality of DNS sinkhole depends on the subscriptions on your firewall. With a threat prevention license, your firewall can sinkhole DNS requests using a predefined list of malicious domains provided by Palo Alto Networks.

However, if you have a DNS Security subscription in addition to the threat prevention license, that's where you have access to real-time protection. This includes advanced predictive analytics that can identify and flag not only known malicious domains but also suspicious domains that exhibit characteristics similar to those used by attackers, such as '3123fsda11.xyz

For the logs, it looks to me that there are two domains that the client is trying to resolve (I would double-check with the actual logs populated on the firewall):

1. "s.w.org"
2. "i.ytimg.com"

The (generic:sr7pv7n5x.com)(638487393) looks to be the (Threat Signature Name)(Unique Threat ID). You can access the Palo Alto Networks Threat Vault and search for that unique threat ID.

Hope this helps!

Re: DNS sinkhole , some questions

DavidMankivsky — Mon, 17 Jun 2024 06:03:23 GMT

Thank you Jay! you helped me a lot