Tips & Tricks: Using DNS Sinkhole to find Malicious Clients
on 04-22-201508:23 AM - last edited on 09-14-201507:11 AM by reaper
Hello again, Joe Delio from the Community team here, Today I will be introducing another new Community Feature:
Tips & Tricks
Inside Tips & Tricks, we will be talking about a specific Palo Alto Networks Firewall or Panorama feature, explaining what it is, how to configure it and how to use that feature. It is intended to teach you new features easily.
Today I will be talking about DNS Sinkhole.
What is DNS Sinkhole? Why do I want to enable this feature?
Starting with Pan-OS 6.0, a new feature called DNS Sinkhole was added to help battle malicious software (malware and spyware) in networks. This feature works by monitoring DNS requests for malicious DNS requests passing through the Firewall. If one is found, then the Palo Alto Networks device can forge a response causing the malicious domain name to resolve to a customer defined IP address (bogus IP). This will prevent the Malicious DNS request from working, stopping the Malware or Spyware from communicating to the Internet, as well as recording this information in the logs.
How do I configure DNS Sinkhole?
Please refer to the following document for instructions on configuring DNS Sinkhole:
Tips & Tricks using DNS Sinkhole to find malicious clients
The following is the sequence of events that will occur when the sinkhole feature is enabled with bogus IP 184.108.40.206:
Malicious software on an infected host sends a DNS query to resolve a malicious DNS request on the Internet.
If the infected internal hosts's DNS query is sent to an internal DNS server(the firewall will never see the host make this request, and is essentially hidden), that internal DNS server then queries a public DNS server on the other side of the firewall.
If the DNS query matches a DNS entry in the DNS signatures database, the sinkhole action will be performed on the query, and the forged IP (220.127.116.11) is given in response, and a log in the threat logs for "Suspicious DNS request" will be recorded.
The infected client then attempts to start a session with the host, but uses the forged IP (18.104.22.168) address instead. If a policy blocks access to that forged (bogus) IP, then that will show up in the traffic logs.
All the administrator needs to do is look for "malicious DNS" query in the threat log, and can then search the traffic logs for the forged sinkhole IP address 22.214.171.124 and can easily locate the client IP address that is trying to start a malicious session with the sinkhole IP address. Since all traffic is stopped, it will ensure a secure network.
NOTE: If the request is made from an internal device making the DNS request directly, through the firewall, you will see the same IP address make the Initial DNS request as well as seeing the HTTP(S) request to the bogus IP (126.96.36.199). Most of the time this is NOT the case.
Previous to the sinkhole action it was impossible to tell who is the end user (the infected machine) and in the logs you could only see the internal DNS server as a part of the communication that is triggering this signature, but now, the Palo Alto Networks device can forge the response for the infected domains to a locally significant address we is able to capture the traffic afterwards and get the real infected machine.