https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394965#M91215 <P>Just a quick reply.. if you want to learn more about DNS Sinkhole.. please check out the Learning Happy Hour that we have on the LIVEcommunity YouTube channel here:</P> <P><A href="https://www.youtube.com/watch?v=FUFtEEMEE00&amp;list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_&amp;index=36&amp;ab_channel=PaloAltoNetworksLIVEcommunity" target="_blank">https://www.youtube.com/watch?v=FUFtEEMEE00&amp;list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_&amp;index=36&amp;ab_channel=PaloAltoNetworksLIVEcommunity</A></P> <P>&nbsp;</P> <P>If you liked any of that, please be sure to check out the other Learning Happy Hours here:</P> <P><A href="https://www.youtube.com/playlist?list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_" target="_blank">https://www.youtube.com/playlist?list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_</A></P> <P>&nbsp;</P> Tue, 30 Mar 2021 17:22:45 GMT jdelio 2021-03-30T17:22:45Z https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394864#M91198 <P>Hi Everyone,</P><P>&nbsp;</P><P>i need your help to better undestand how DNS Sinkhole actually works.</P><P>I mean, i know how it works, how to configure it, but i'm facing a strange behaviour i cannot understand.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dns sinkhole.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30648iCAA569198955C99F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="dns sinkhole.png" alt="dns sinkhole.png" /></span></P><P>In the photo i have uploaded i have an example.</P><P>Both source and destination are in the same subnet (i have obscured the first two octects for privacy)</P><P>the destination of the log (99.7) should be the client trying to contact the C2 domain, but the source doesn't exists! It's not the interface IP of PA, nor a host in the subnet!</P><P>this is not the only log showing this, there are many of them, and every one have this particularity: the source is always a previous or following IP (for example, if the destination IP is 99.100, i can find sources 99.99 or 99.101, and so on).</P><P>&nbsp;</P><P>Can someone who better knows this function heelp me understand what is happening?</P><P>&nbsp;</P><P>Regards,</P><P>Daniele</P> Tue, 30 Mar 2021 08:20:56 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394864#M91198 DKanta 2021-03-30T08:20:56Z https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394904#M91201 <P>So you do not have LDNS server with an IP address as a source as if the clients are not directly connecting to the Palo Alto and using as a DNS proxy it could be a LDNS server <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing</A> ?</P><P>&nbsp;</P><P>Usefull things how to check the DNS sinkhole:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmFCAS" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmFCAS</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Also is the source zone the same as the destination zone as if the IP addresses are in the same network they should be but maybe the source IP address is spoofed (false) or you have some kind of asimetric routing?</P> Tue, 30 Mar 2021 18:49:50 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394904#M91201 nikoolayy1 2021-03-30T18:49:50Z https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394965#M91215 <P>Just a quick reply.. if you want to learn more about DNS Sinkhole.. please check out the Learning Happy Hour that we have on the LIVEcommunity YouTube channel here:</P> <P><A href="https://www.youtube.com/watch?v=FUFtEEMEE00&amp;list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_&amp;index=36&amp;ab_channel=PaloAltoNetworksLIVEcommunity" target="_blank">https://www.youtube.com/watch?v=FUFtEEMEE00&amp;list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_&amp;index=36&amp;ab_channel=PaloAltoNetworksLIVEcommunity</A></P> <P>&nbsp;</P> <P>If you liked any of that, please be sure to check out the other Learning Happy Hours here:</P> <P><A href="https://www.youtube.com/playlist?list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_" target="_blank">https://www.youtube.com/playlist?list=PLD6FJ8WNiIqUCHEz5r8KDmFFtE37PlZT_</A></P> <P>&nbsp;</P> Tue, 30 Mar 2021 17:22:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-dns-sinkhole-actually-works/m-p/394965#M91215 jdelio 2021-03-30T17:22:45Z