topic Re: DNS sinkhole not blocking malware in General Topics

DNS sinkhole not blocking malware

raji_toor — Fri, 01 Jun 2018 18:58:51 GMT

PC does DNS query, which gets inspected and is not sinkholed. PC then sends traffic to resolved address which gets inspected and blocked as malware. This is the pattern i am seeing right now and this is not for a single domain.

I am not saying sinkhole is not working, it is working but not for all destinations. Below is the example of both sinkhole and threat block. Source IP's are in the same subnet using same rule when quering for DNS.

It seems even though firewall has knowledge of destination associated with malware it will still not block it at the DNS phase.

Re: DNS sinkhole not blocking malware

Remo — Sun, 03 Jun 2018 08:41:12 GMT

Hi @raji_toor

There are two different databases behind there two features, which means that something that is categorized as malware in URL filtering does not need to be also in the DNS signatures. In addition with URL filtering it is possible that the domain is categorized as business-and-economy while a subfolder is categorized as malware. Another difference is also that the DNS signatures are more "static" than URL filtering. DNS signatures are updated with the antivirus updates and contain always the full list of DNS signatures which is limited in the way this feature is designed. This DNS signatures simply cannot contain ALL malware, phishing, spyware domains as the list would simply be too big. With urlfiltering the firewall has a local cache of URL and if it does not know the category for a particular URL, it queries the cloud for the category.

So what you saw in your logs is actually expected behaviour. If you want to request a change here for something like a cloud lookup for the DNS sinkhole feature, ask your SE to create a feature request for that.

Regards,

Remo

Re: DNS sinkhole not blocking malware

raji_toor — Mon, 04 Jun 2018 17:03:12 GMT

@Remo I as an administrator can see that firewall is blocking malware either through DNS / URL filtering. There are DNS solutions which claim to stop malware just based on DNS. So when we pointed our DNS to them, PA is not doing sinkhole while this DNS provider is blocking them. PA is blocking them but at a later step. For higher management this third party DNS solution is working well over PA.

Re: DNS sinkhole not blocking malware

reaper — Tue, 05 Jun 2018 08:53:41 GMT

The best security is always layered, just in case one layer fails

The external DNS service may provide 'better' coverage as the sinkhole signatures are updated periodically and run on a optimized database to address the most active malware domains where the external service's database could be larger, but slower (sinkhole runs on-device and intercepts all DNS while the external DNS service requires lookups and properly configured clients)

In addition to the sinkhole signatures, URL filtering provides a larger repository of malware (and other 'bad') classified domains (pandb) that do support live cloud lookups so when a malware is detected through any one of our many mechanisms, that database will be updated immediately and the verdict will be permeated down to the other services (sinkhole signature, among others)

and lastly, there's still the content scanning of actual malware where we can identify and block all kinds of malware (signature, heuristics, ..)

While the firewall offers many layers of protection, it's never a bad thing to add more 😉 Then if the external service doesn't have a domain listed as malware, at least the firewall will protect the network 😉