Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

L4 Transporter

Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1

 

https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

I was thinking the same thing when I saw the article. Since we only allow our AD servers to go out for DNS resolution and all our clients point internally to the AD servers, its not going to be a big deal for us. We use least privelged deny all allow by exception in our policies. If you allow clients to reach out to external sources for DNS, then use the Palo Alto alternative IP.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891

 

Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (71.19.152.112).

 

Hope that helps.

 

Regards,

For the record, the official recommendation is to use the predefined provided IP address, or 71.19.152.112, as shown below (predefined IP's may vary depending on your region)

The occasional 1.1.1.1 showing up in knowledge base articles are basically the author (myself included, i'll admit that) being lazy. We're in the process of cleaning that up though. please don't use 1.1.1.1 😉

 

 

sinkhole default ip.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thanks for the info. BTW it looks like 71.19.152.112 resolves to prgmr.com. FWIW our predefined is 72.5.65.111

 

side note to anyone alerting on sinkholes from a SEIM if you change the sinkhole IP make sure to change your alert triggers

As today Palo official sinkhole does not provide any additional benefit (reply to HTTP requests etc) I prefer to use custom IP. Any hard coded IP makes malware easy to identify that it is being fooled by Palo 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister you could consider setting up your own honeypot and redirecting any sinkholes there

 

The predefined sinkhole IP truly discards everything, but is an internet IP so 'smart' malware is less likely to detect it is a false IP (if it checks for private ip DNS replies to identify it is being blackholed)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 5407 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!