Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

L4 Transporter

Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1

 

https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1

 

 

L7 Applicator

Re: Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

Hello,

I was thinking the same thing when I saw the article. Since we only allow our AD servers to go out for DNS resolution and all our clients point internally to the AD servers, its not going to be a big deal for us. We use least privelged deny all allow by exception in our policies. If you allow clients to reach out to external sources for DNS, then use the Palo Alto alternative IP.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891

 

Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (71.19.152.112).

 

Hope that helps.

 

Regards,

Community Manager

Re: Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

For the record, the official recommendation is to use the predefined provided IP address, or 71.19.152.112, as shown below (predefined IP's may vary depending on your region)

The occasional 1.1.1.1 showing up in knowledge base articles are basically the author (myself included, i'll admit that) being lazy. We're in the process of cleaning that up though. please don't use 1.1.1.1 ;)

 

 

sinkhole default ip.png


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

@reaper Thanks for the info. BTW it looks like 71.19.152.112 resolves to prgmr.com. FWIW our predefined is 72.5.65.111

 

side note to anyone alerting on sinkholes from a SEIM if you change the sinkhole IP make sure to change your alert triggers

L7 Applicator

Re: Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

As today Palo official sinkhole does not provide any additional benefit (reply to HTTP requests etc) I prefer to use custom IP. Any hard coded IP makes malware easy to identify that it is being fooled by Palo :)

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Community Manager

Re: Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

@Raido you could consider setting up your own honeypot and redirecting any sinkholes there

 

The predefined sinkhole IP truly discards everything, but is an internet IP so 'smart' malware is less likely to detect it is a false IP (if it checks for private ip DNS replies to identify it is being blackholed)


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!