Since PA recommends using 184.108.40.206 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 220.127.116.11
I was thinking the same thing when I saw the article. Since we only allow our AD servers to go out for DNS resolution and all our clients point internally to the AD servers, its not going to be a big deal for us. We use least privelged deny all allow by exception in our policies. If you allow clients to reach out to external sources for DNS, then use the Palo Alto alternative IP.
Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (18.104.22.168).
Hope that helps.
For the record, the official recommendation is to use the predefined provided IP address, or 22.214.171.124, as shown below (predefined IP's may vary depending on your region)
The occasional 126.96.36.199 showing up in knowledge base articles are basically the author (myself included, i'll admit that) being lazy. We're in the process of cleaning that up though. please don't use 188.8.131.52 ;)
@reaper Thanks for the info. BTW it looks like 184.108.40.206 resolves to prgmr.com. FWIW our predefined is 220.127.116.11
side note to anyone alerting on sinkholes from a SEIM if you change the sinkhole IP make sure to change your alert triggers
As today Palo official sinkhole does not provide any additional benefit (reply to HTTP requests etc) I prefer to use custom IP. Any hard coded IP makes malware easy to identify that it is being fooled by Palo :)
@Raido you could consider setting up your own honeypot and redirecting any sinkholes there
The predefined sinkhole IP truly discards everything, but is an internet IP so 'smart' malware is less likely to detect it is a false IP (if it checks for private ip DNS replies to identify it is being blackholed)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!