This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Configuring DNS sink hole on PA 3050 running PAN-OS 7.1.18

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring DNS sink hole on PA 3050 running PAN-OS 7.1.18

Go to solution
seanmccoy
L2 Linker

‎11-16-2018 10:47 AM

 I need assistance configuring/verifying if DNS Sinkholing is correct on my PA3020 running PAN-OS 7.1.18.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to seanmccoy

‎11-16-2018 02:34 PM

@seanmccoy,

There really isn't a way to verify the object easily on the firewall, you have to get involved with the XML files that actually make up the device and peek around in the tech support file. If you look at the traffic logs for the sinkhole IP do you see any activity, and have you verified that you've setup logging on the rule you created to deny the traffic? 

I wouldn't filter on the sinkhole app-id, that's kind of a bad test. 

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
BPry
Cyber Elite
Cyber Elite

‎11-16-2018 12:03 PM

@seanmccoy,

Here's the knowledgbase article for it HERE, if you have any specific questions please let us know. 

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to BPry

‎11-16-2018 12:55 PM

This is what I see when I choose Palo Alto Networks Sinkhole IP from the drop down

 

sinkhole.JPG

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to seanmccoy

‎11-16-2018 01:22 PM

@seanmccoy,

Okay so outside of a few customizations it looks like you already have it configured and the IP of the default Palo Alto sinkhole IP is just failing to load. At the bottom of that query is a link to a verification document on how you would verify things are properly sinholing, but you should effectively be getting the response of 72.5.65.111 if you attempt to lookup a host that matches one of the DNS Signatures that are published. 

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to BPry

‎11-16-2018 01:55 PM

So I followed step 4 of the query and created the security rule with the Palo Alto Default sinkhole address (72.5.65.111) as the destination and moved it to the top. If I look at threat logs I still see my internal DNS servers IP addresses if I filter by app eq sinkhole.

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to BPry

‎11-16-2018 01:59 PM

Anywhere I can verify that Palo Alto sinkhole IP object on the firewall?

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to seanmccoy

‎11-16-2018 02:34 PM

@seanmccoy,

There really isn't a way to verify the object easily on the firewall, you have to get involved with the XML files that actually make up the device and peek around in the tech support file. If you look at the traffic logs for the sinkhole IP do you see any activity, and have you verified that you've setup logging on the rule you created to deny the traffic? 

I wouldn't filter on the sinkhole app-id, that's kind of a bad test. 

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to BPry

‎11-19-2018 09:13 AM

I'm seeing sinkhole IP activity on two of my current PA security rules now that I've confirmed logging is enabled on both session start and end. The Block-Sinkhole security rule I've implemented to drop indicates one source address currently hitting the sinkhole IP.

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to seanmccoy

‎11-19-2018 09:25 AM

I've refreshed the monitor and now it appears my sinkhole rule is dropping any source IP to the destination sinkhole IP. Thanks for all your help. Have a great holiday!

0 Likes Likes

Go to solution
seanmccoy
L2 Linker
In response to seanmccoy

‎11-19-2018 09:46 AM

One other question is as to what I should be looking into as far as the threat log and the sinkhole type action. I'm still seeing that traffic to a few of my on premise domain controllers.

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to seanmccoy

‎11-19-2018 10:26 AM

@seanmccoy,

So I'm just guessing on your setup here, but I would expect with what you're seeing the domain controllers are also acting as your DNS servers? If that's the case, it simply means that one of the clients on your network is making DNS requests that match the published DNS Signatures, likely because the requested hostname is malicious in nature. 

Unless you have a way to see the actual host -> DNS traffic, or you are loggign the DNS requests on the server, you really won't get a huge amount of actionable data. As of this moment the only thing you know for sure is that someone in your network is causing the DNS servers to make malicious DNS requests; without additional logs that isn't extremely helpful for you. 

0 Likes Likes
  • 1 accepted solution
  • 4372 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks