https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-s/m-p/27709#M20204 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We are running version 5.0.6 for a few weeks now and looks very good.</P><P>We see now also in our threat detection the following threat "Suspicious DNS Query : ......" and this is blocked.</P><P>This is very cool to block at dns level spyware and malware but the disadvantage of this is that the source client ip address is always your DNS server.</P><P>So you need to look in to your logs of your DNS Server to find out the infected client.</P><P>But if you have a distributed DNS infrastructure and many DNS Servers spread over several location in Europe then this a hard job to do.</P><P></P><P>Why is it not possible to redirect Suspicious DNS Query's to a honeypot IP address so you can then detect the real client's ip address?</P><P>Maybe a future request!!</P><P></P><P>Or does someone have a better idea how to deal with this issue?</P><P>maFor us monitoring all the DNS servers log is not a option because we have so many DNS Servers spread over many locations.</P><P></P><P>Regards,</P><P>O. Bor</P></BODY></HTML> Thu, 01 Aug 2013 10:37:38 GMT obor 2013-08-01T10:37:38Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-s/m-p/27709#M20204 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We are running version 5.0.6 for a few weeks now and looks very good.</P><P>We see now also in our threat detection the following threat "Suspicious DNS Query : ......" and this is blocked.</P><P>This is very cool to block at dns level spyware and malware but the disadvantage of this is that the source client ip address is always your DNS server.</P><P>So you need to look in to your logs of your DNS Server to find out the infected client.</P><P>But if you have a distributed DNS infrastructure and many DNS Servers spread over several location in Europe then this a hard job to do.</P><P></P><P>Why is it not possible to redirect Suspicious DNS Query's to a honeypot IP address so you can then detect the real client's ip address?</P><P>Maybe a future request!!</P><P></P><P>Or does someone have a better idea how to deal with this issue?</P><P>maFor us monitoring all the DNS servers log is not a option because we have so many DNS Servers spread over many locations.</P><P></P><P>Regards,</P><P>O. Bor</P></BODY></HTML> Thu, 01 Aug 2013 10:37:38 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-s/m-p/27709#M20204 obor 2013-08-01T10:37:38Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-s/m-p/27710#M20205 <HTML><HEAD></HEAD><BODY><P>You might want to take a look at <A href="https://live.paloaltonetworks.com/message/25901">Re: Suspicious DNS Query - how to find source computer?</A></P></BODY></HTML> Thu, 01 Aug 2013 12:05:38 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-s/m-p/27710#M20205 UhMayYeah 2013-08-01T12:05:38Z