https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/208409#M61004 <P>Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1</P><P>&nbsp;</P><P><A href="https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1" target="_blank">https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Apr 2018 16:06:22 GMT hshawn 2018-04-02T16:06:22Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/208409#M61004 <P>Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1</P><P>&nbsp;</P><P><A href="https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1" target="_blank">https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Apr 2018 16:06:22 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/208409#M61004 hshawn 2018-04-02T16:06:22Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/208458#M61018 <P>Hello,</P><P>I was thinking the same thing when I saw the article. Since we only allow our AD servers to go out for DNS resolution and all our clients point internally to the AD servers, its not going to be a big deal for us. We use least privelged deny all allow by exception in our policies. If you allow clients to reach out to external sources for DNS, then use the Palo Alto alternative IP.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891</A></P><P>&nbsp;</P><P><SPAN>Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (71.19.152.112).</SPAN></P><P>&nbsp;</P><P><SPAN>Hope that helps.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P> Mon, 02 Apr 2018 19:29:54 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/208458#M61018 OtakarKlier 2018-04-02T19:29:54Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209512#M61252 <P>For the record, the <A href="https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing" target="_blank">official recommendation</A> is to use the predefined provided IP address, or 71.19.152.112, as shown below (predefined IP's may vary depending on your region)</P> <P>The occasional 1.1.1.1 showing up in knowledge base articles are basically the author (myself included, i'll admit that) being lazy. We're in the process of cleaning that up though. please don't use 1.1.1.1 <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sinkhole default ip.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14697iF4BC570CFA95A349/image-size/large?v=v2&amp;px=999" role="button" title="sinkhole default ip.png" alt="sinkhole default ip.png" /></span></P> Wed, 11 Apr 2018 07:33:45 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209512#M61252 reaper 2018-04-11T07:33:45Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209562#M61259 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;Thanks for the info. BTW it looks like 71.19.152.112 resolves to prgmr.com. FWIW our predefined is 72.5.65.111</P><P>&nbsp;</P><P>side note to anyone alerting on sinkholes from a SEIM if you change the sinkhole IP make sure to change your alert triggers</P> Wed, 11 Apr 2018 14:44:08 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209562#M61259 hshawn 2018-04-11T14:44:08Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209807#M61305 <P>As today Palo official sinkhole does not provide any additional benefit (reply to HTTP requests etc) I prefer to use custom IP. Any hard coded IP makes malware easy to identify that it is being fooled by Palo <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 12 Apr 2018 15:34:57 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209807#M61305 Raido_Rattameister 2018-04-12T15:34:57Z https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209928#M61337 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;you could consider setting up your own honeypot and redirecting any sinkholes there</P> <P>&nbsp;</P> <P>The predefined sinkhole IP truly discards everything, but is an internet IP so 'smart' malware is less likely to detect it is a false IP (if it checks for private ip DNS replies to identify it is being blackholed)</P> Fri, 13 Apr 2018 08:06:17 GMT https://live.paloaltonetworks.com/t5/general-topics/cloudflare-using-1-1-1-1-palo-alto-recommended-ipv4-dns-sinkhole/m-p/209928#M61337 reaper 2018-04-13T08:06:17Z