https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308530#M80033 <P>Hello,</P><P>This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider.&nbsp;</P><P>&nbsp;</P><P>Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.</P><P>&nbsp;</P><P>In addition to this follow the PAN best practices and decrypt SSL where you can.</P><P>&nbsp;</P><P>Regards,</P> Wed, 29 Jan 2020 16:19:10 GMT OtakarKlier 2020-01-29T16:19:10Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308511#M80029 <P>We are finding that even domains configured as malware/c2 are not getting sinkholed.&nbsp; &nbsp;I'm aware from other posts, that these are not the same database on the firewall.&nbsp; &nbsp;</P><P>&nbsp;</P><P>Why are these not persistent?&nbsp; Why would you not flag on a DNS lookup that is out to resolve a malware/c2 domain - and NOT sinkhole it?&nbsp; Is the DNS database something that get's updated with the code release version, and is this why Palo came out with the DNS security service?&nbsp; &nbsp;We have other products that are flagging on domains that are clearly marked as malware- but palo is letting them resolve.&nbsp;</P> Wed, 29 Jan 2020 15:32:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308511#M80029 Sec101 2020-01-29T15:32:48Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308530#M80033 <P>Hello,</P><P>This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider.&nbsp;</P><P>&nbsp;</P><P>Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.</P><P>&nbsp;</P><P>In addition to this follow the PAN best practices and decrypt SSL where you can.</P><P>&nbsp;</P><P>Regards,</P> Wed, 29 Jan 2020 16:19:10 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308530#M80033 OtakarKlier 2020-01-29T16:19:10Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308565#M80044 <P>Thank you for the reply.&nbsp; &nbsp;I just don't understand why the palo would allow resolution requests over udp/53 - for known malware domains? - What good is sinkholing if it doesn't sinkhole?</P> Wed, 29 Jan 2020 18:58:22 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308565#M80044 Sec101 2020-01-29T18:58:22Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308598#M80048 <P>Hello,</P><P>So here could be the reason:</P><P><SPAN>Suspicious DNS Query signatures are looking for DNS resolution to domains potentially associated with C2 traffic, which could be an indication of a breached machine.</SPAN></P><P>&nbsp;</P><P><SPAN>So what the sinkhole is looking for and blocking, are C2 communications, not really all bad domains.</SPAN></P><P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5kCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5kCAC</A></SPAN></P><P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC</A></SPAN></P><P>&nbsp;</P><P><SPAN>Hope that helps clarify things.</SPAN></P> Wed, 29 Jan 2020 22:40:09 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308598#M80048 OtakarKlier 2020-01-29T22:40:09Z https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308614#M80053 <P>Interesting.&nbsp; &nbsp;One of the domains was marked as c2.&nbsp; I could still get a resolution on it though.&nbsp; Even though other domains I could confirm were getting sinkholed.&nbsp; &nbsp; &nbsp; So i'm not sure now they are missing that?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Either way, Props&nbsp;&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; for the good reply on how this works, and how to setup secure DNS services.</P> Thu, 30 Jan 2020 03:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-sinkhole-database-view-or-test/m-p/308614#M80053 Sec101 2020-01-30T03:33:03Z