https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156823#M51486 <P>if u block the URL will be blocked ( but resolve to an IP address)</P><P>sinkhole - will resolve to the specified address.</P> Tue, 16 May 2017 06:52:33 GMT tac.in 2017-05-16T06:52:33Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156623#M51425 <P>Hi,</P><P>What is the benefit if we use sinkhole instead of just blocking malicious domain resolving</P><P>Thanks</P> Mon, 15 May 2017 10:06:18 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156623#M51425 simsim 2017-05-15T10:06:18Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156650#M51437 Hi Simsim,<BR />If the malicious URL is resolved in to an ipaddress , session might be created and your public IP might get blacklisted<BR /> Mon, 15 May 2017 14:13:53 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156650#M51437 tac.in 2017-05-15T14:13:53Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156670#M51445 <P>Hi,</P><P>There are two options&nbsp;</P><P>1) block (default )</P><P>2) sinkhole&nbsp;</P><P>My question is why we don't we go for block instead of sinkhole&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Mon, 15 May 2017 15:27:08 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156670#M51445 simsim 2017-05-15T15:27:08Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156823#M51486 <P>if u block the URL will be blocked ( but resolve to an IP address)</P><P>sinkhole - will resolve to the specified address.</P> Tue, 16 May 2017 06:52:33 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156823#M51486 tac.in 2017-05-16T06:52:33Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156857#M51491 <P>block will simply block the connection, end of story</P> <P>&nbsp;</P> <P>sinkhole will feed the client a false IP address which can help track which hosts are infected:</P> <P>&nbsp;</P> <P>Because malicious DNS requests will typically come from the company bind/ActiveDir DNS server instead of the clients directly you will not know which client is requesting malicious domain info</P> <P>with sinkhole, the infected client will try to connect to the sinkhole IP and you'll know exactly which clients are infected</P> Tue, 16 May 2017 10:15:31 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156857#M51491 reaper 2017-05-16T10:15:31Z https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156873#M51497 <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;mentioned it is good to identify infected client.</P><P>If your environment is set up correctly and traffic from clients to servers passes through firewall then you can identify client even with block activity.</P><P>But too many environments have clients and DNS in same zone so firewall sees only requests sent by DNS server but not clients.</P> Tue, 16 May 2017 11:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/malicious-domain/m-p/156873#M51497 Raido_Rattameister 2017-05-16T11:48:50Z