https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239072#M68475 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97840">@aaobuhov</a>,</P><P>While namecha.in is present in the PAN-DB URL Classifications it doesn't look like it currently actually has an active DNS Signature in place, which is what the Sinkhole process would trigger on. It was first released in 2732, but it's not showing as being active in a current release. The other domain has the same issue, it isn't showing as having a current active signature.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Nov 2018 14:52:23 GMT BPry 2018-11-08T14:52:23Z https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239039#M68463 <P>Hello, all</P><P>&nbsp;</P><P>I am testing Anti-Spyware DNS sinkhole. I set:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sinkhole.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17470iEC23C5551C0D196A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Sinkhole.png" alt="Sinkhole.png" /></span></P><P>&nbsp;</P><P>I make policy with this profile.</P><P>&nbsp;</P><P>For most DNS-names in category&nbsp;“Malware” и “Command and Control” (<A href="https://threatvault.paloaltonetworks.com/" target="_blank">https://threatvault.paloaltonetworks.com/</A>) i see nslookup answer, for example:</P><P>&nbsp;</P><P>Addresses: ::1<BR />127.0.0.1</P><P>And it is good.</P><P>&nbsp;</P><P>But for two DNS-names: namecha.in,&nbsp;4cdf1kuvlgl5zpb9.pmr.cc&nbsp;(Malware category too) sinkhole is not working and i see ip-adresses in nslookup answer.</P><P>&nbsp;</P><P>What can be wrong? I need advice.</P><P>Yes, i can make my own external dynamic list, but why standart not working for malware?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Nov 2018 09:34:10 GMT https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239039#M68463 aaobuhov 2018-11-08T09:34:10Z https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239072#M68475 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97840">@aaobuhov</a>,</P><P>While namecha.in is present in the PAN-DB URL Classifications it doesn't look like it currently actually has an active DNS Signature in place, which is what the Sinkhole process would trigger on. It was first released in 2732, but it's not showing as being active in a current release. The other domain has the same issue, it isn't showing as having a current active signature.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Nov 2018 14:52:23 GMT https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239072#M68475 BPry 2018-11-08T14:52:23Z https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239242#M68506 <P>Hello, BPy</P><P>&nbsp;</P><P>It is clear for me now, what&nbsp;<SPAN>PAN-DB URL&nbsp;database is not same as PA DNS Signature database.</SPAN></P><P><SPAN>Thank you.</SPAN></P> Fri, 09 Nov 2018 05:18:37 GMT https://live.paloaltonetworks.com/t5/general-topics/testing-sinkhole-dns/m-p/239242#M68506 aaobuhov 2018-11-09T05:18:37Z