https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/103940#M44661 <P>If you reslove the URLs in those DNS queries you will get IPs of C&amp;C servers.</P><P>&nbsp;</P><P>The original source of the infection will not be so easy to find.</P><P>For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it&nbsp;visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection&nbsp;or USB stick you won't find much info on firewall.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Aug 2016 13:58:02 GMT santonic 2016-08-17T13:58:02Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/103900#M44657 <P>I've configured a DNS sinkhole in our PAN firewall, and it's helped our department identify machines that are trying to reach out to malicious domains and such. Is it possible to identify the original, intended, destination that the user was attempting to reach when they became innfected?&nbsp;</P> Wed, 17 Aug 2016 13:10:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/103900#M44657 cleediker 2016-08-17T13:10:24Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/103940#M44661 <P>If you reslove the URLs in those DNS queries you will get IPs of C&amp;C servers.</P><P>&nbsp;</P><P>The original source of the infection will not be so easy to find.</P><P>For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it&nbsp;visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection&nbsp;or USB stick you won't find much info on firewall.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Aug 2016 13:58:02 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/103940#M44661 santonic 2016-08-17T13:58:02Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/106680#M44829 <P>Thanks for the reply, Santonic.&nbsp;</P> Wed, 24 Aug 2016 12:55:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-intended-destination/m-p/106680#M44829 cleediker 2016-08-24T12:55:57Z