https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74040#M41589 <P>Yeah, check who is sending those 'no such name' responses. That can't be PA.&nbsp;</P> Thu, 03 Mar 2016 07:56:55 GMT santonic 2016-03-03T07:56:55Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73581#M41468 <P>Hello, has anyone had any problems with DNS sinkhole not triggering on&nbsp;PAN-OS 6.1.4 ?</P> <P>&nbsp;</P> <P>I have created a security policy for DNS traffic between a LAN side DNS server and a WAN side upstream DNS server, the Palo sits at the WAN edge between the two DNS servers. &nbsp; Attached to this security policy is an Anti-spyware security policy with DNS action alert. &nbsp;This works as expected, alerting every time a query for a known malicious domain is seen, so no problem seeing the traffic albeit with the LAN side DNS server as the source IP address.</P> <P>&nbsp;</P> <P>So with a duplicate (higher) security rule and spyware policy now set to sinkhole, the traffic is seen as "DNS" by this new rule but does not trigger the treat and so does not receive the sinkhole IP address I have set.</P> <P>&nbsp;</P> <P>Any help would be greatly appreciated.</P> <P><SPAN>&nbsp;</SPAN></P> Thu, 25 Feb 2016 16:25:43 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73581#M41468 Smi12 2016-02-25T16:25:43Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73598#M41471 <P>Check out this doc it will surely help if the dns sinkhole is configured properly.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Threat-Articles/Where-to-Get-a-Suspicious-DNS-Query-for-Testing-DNS-Sinkhole/ta-p/66048" target="_blank">https://live.paloaltonetworks.com/t5/Threat-Articles/Where-to-Get-a-Suspicious-DNS-Query-for-Testing-DNS-Sinkhole/ta-p/66048</A></P> Thu, 25 Feb 2016 18:10:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73598#M41471 pankaku 2016-02-25T18:10:37Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73600#M41472 <P>Make sure that the&nbsp;<SPAN>antivirus update are consecutive.&nbsp;H<SPAN>ighest and second&nbsp;highest </SPAN></SPAN></P> Thu, 25 Feb 2016 18:12:04 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73600#M41472 pankaku 2016-02-25T18:12:04Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73601#M41473 <P>So you've got an Anti-Spyware policy set up like this:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2779i46FD6DC7DDC84ED3/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Anti-Spyware.png" title="Anti-Spyware.png" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>With no logs in threat that look like this?</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2780i8F725B68785B8805/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Threat_Log.png" title="Threat_Log.png" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have any "Traffic" logs of hosts going to your sinkhole IP?</P> Thu, 25 Feb 2016 18:12:20 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73601#M41473 Brandon_Wertz 2016-02-25T18:12:20Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73768#M41528 <P>Thanks for the response, for further info as of today we are running AV 1797-2276 and I have performed further tests.</P> <P>&nbsp;</P> <P>My sinkhole spyware profile is configured like this:</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2822iA3445C31D0ADC64E/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="dns1.JPG" title="dns1.JPG" /></P> <P>&nbsp;</P> <P>I then attempt to lookup a known malicious domain. &nbsp;In the traffic logs I can see that my test traffic hits the correct&nbsp;security&nbsp;rule that should apply the dns sinkhole IP address. &nbsp;However it does not sinkhole the traffic and does not trigger a threat log for spyware domain.</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2824i09DFBA39C5E834DE/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="dns3.JPG" title="dns3.JPG" /></P> <P>&nbsp; &nbsp;</P> <P>&nbsp;</P> <P>Using packet capture I can see that my query contains the known malicious domain as below:<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2823iEEEA6719355CDAED/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="dns2.JPG" title="dns2.JPG" /></P> <P>&nbsp;</P> <P>Does anyone have any further thoughts that may help please? &nbsp;</P> <P>&nbsp;</P> Mon, 29 Feb 2016 09:40:01 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73768#M41528 Smi12 2016-02-29T09:40:01Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73783#M41532 <P>If you will check the url cateogry as malicious then it will/may not trigger the sinkhole. Check the link that I have sent you follow it once just for testing.</P> <P><A href="https://live.paloaltonetworks.com/t5/Threat-Articles/Where-to-Get-a-Suspicious-DNS-Query-for-Testing-DNS-Sinkhole/ta-p/66048" target="_blank">https://live.paloaltonetworks.com/t5/Threat-Articles/Where-to-Get-a-Suspicious-DNS-Query-for-Testing-DNS-Sinkhole/ta-p/66048</A></P> <P>&nbsp;</P> <P>download and install antivirus&nbsp;<SPAN>1797-2276 and do the dns lookup for "d1e9me*d3jmum*com" replace * with .</SPAN></P> Mon, 29 Feb 2016 13:21:56 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/73783#M41532 pankaku 2016-02-29T13:21:56Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74032#M41588 <P>Not sure how the client is trying to connect to the sinkhole IP addres if it's receiving an error code in the DNS response instead of the sinkhole IP address (unless the packet capture is missing something). By any chance is the client using an internal DNS server?</P> <P>&nbsp;</P> <P>From RFC 1035 (DNS) the response "no such name"</P> <PRE class="newpage"> 3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist.</PRE> <P>&nbsp;</P> Thu, 03 Mar 2016 04:12:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74032#M41588 glastra1 2016-03-03T04:12:13Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74040#M41589 <P>Yeah, check who is sending those 'no such name' responses. That can't be PA.&nbsp;</P> Thu, 03 Mar 2016 07:56:55 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74040#M41589 santonic 2016-03-03T07:56:55Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74110#M41611 <P>Hello, &nbsp;it is the remote DNS server sending the "no such name" response. &nbsp;However what I was expecting is that for the reason the lookup contains a known malware domain it would trigger the PA to respond with the Sinkhole IP instead. &nbsp;Instead its not seen as Malware so does not trigger the sinkhole. &nbsp; &nbsp;I'm going to be spending some time next week looking at this again and will update. &nbsp;</P> Fri, 04 Mar 2016 08:58:20 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-not-triggering-for-known-malicious-domains/m-p/74110#M41611 Smi12 2016-03-04T08:58:20Z