https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12696#M9311 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. However, if a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source when accessing malicious website. Please find the below document for your reference.</SPAN></P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/docs/DOC-7783">DNS Sinkhole Process with Internal DNS Server</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Sarath<BR /></SPAN></P></BODY></HTML> Fri, 24 Oct 2014 15:28:01 GMT sbabu 2014-10-24T15:28:01Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12693#M9308 <HTML><HEAD></HEAD><BODY><P>Hi All -</P><P></P><P>Looking through my threat monitor and I am seeing a lot of <STRONG>Suspicious DNS Query</STRONG> entries in there.&nbsp; I have two internal DNS servers, and the entries are for both of them -- the drop-all-packets action is being taken, so it's good the PA is stopping them.&nbsp; If I had to take a guess, 90% of the entries in my entire threat monitor are the <STRONG>Suspicious DNS Query</STRONG> entries.&nbsp; I've scanned and scanned and scanned my DNS servers (both Windows 2003 Server) for viruses and malware, but nothing is ever found.&nbsp; I'm concerned about these even though the packets are being dropped.&nbsp; Should I not be worried about them, is there something I can do to prevent them, or is it just the nature of DNS to query sites -- some of which may be associated with malware -- and I can't do anything?</P><P></P><P>Thanks!</P><P></P><P>Max</P></BODY></HTML> Fri, 28 Mar 2014 15:28:25 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12693#M9308 CarthageCollege 2014-03-28T15:28:25Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12694#M9309 <HTML><HEAD></HEAD><BODY><P>OK.&nbsp; Perhaps I posted that too soon.</P><P></P><P>I just found this:&nbsp; <A href="https://live.paloaltonetworks.com/message/25883">Suspicious DNS Query - how to find source computer?</A>.</P><P></P><P>It looks like the query isn't coming from my DNS server, but a host using my DNS server.&nbsp; You can enable debugging on your DNS server and find the source computer.&nbsp; I think it all makes sense now!</P><P></P><P>Max</P></BODY></HTML> Fri, 28 Mar 2014 15:51:40 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12694#M9309 CarthageCollege 2014-03-28T15:51:40Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12695#M9310 <HTML><HEAD></HEAD><BODY><P>The new DNS Sinkholing feature in PAN-OS 6.0 can help you identify the client that requested the malicious DNS entry without having to go to the DNS server.&nbsp; </P></BODY></HTML> Fri, 28 Mar 2014 16:51:41 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12695#M9310 jvalentine 2014-03-28T16:51:41Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12696#M9311 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. However, if a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source when accessing malicious website. Please find the below document for your reference.</SPAN></P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/docs/DOC-7783">DNS Sinkhole Process with Internal DNS Server</A></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Sarath<BR /></SPAN></P></BODY></HTML> Fri, 24 Oct 2014 15:28:01 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query/m-p/12696#M9311 sbabu 2014-10-24T15:28:01Z