Reply
L4 Transporter

DNS sinkhole database view or test

We are finding that even domains configured as malware/c2 are not getting sinkholed.   I'm aware from other posts, that these are not the same database on the firewall.   

 

Why are these not persistent?  Why would you not flag on a DNS lookup that is out to resolve a malware/c2 domain - and NOT sinkhole it?  Is the DNS database something that get's updated with the code release version, and is this why Palo came out with the DNS security service?   We have other products that are flagging on domains that are clearly marked as malware- but palo is letting them resolve. 


Accepted Solutions
Highlighted
L7 Applicator

Re: DNS sinkhole database view or test

Hello,

This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider. 

 

Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.

 

In addition to this follow the PAN best practices and decrypt SSL where you can.

 

Regards,

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: DNS sinkhole database view or test

Hello,

This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider. 

 

Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.

 

In addition to this follow the PAN best practices and decrypt SSL where you can.

 

Regards,

View solution in original post

Highlighted
L4 Transporter

Re: DNS sinkhole database view or test

Thank you for the reply.   I just don't understand why the palo would allow resolution requests over udp/53 - for known malware domains? - What good is sinkholing if it doesn't sinkhole?

Highlighted
L7 Applicator

Re: DNS sinkhole database view or test

Hello,

So here could be the reason:

Suspicious DNS Query signatures are looking for DNS resolution to domains potentially associated with C2 traffic, which could be an indication of a breached machine.

 

So what the sinkhole is looking for and blocking, are C2 communications, not really all bad domains.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5kCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC

 

Hope that helps clarify things.

Highlighted
L4 Transporter

Re: DNS sinkhole database view or test

Interesting.   One of the domains was marked as c2.  I could still get a resolution on it though.  Even though other domains I could confirm were getting sinkholed.      So i'm not sure now they are missing that?  

 

Either way, Props  @OtakarKlier  for the good reply on how this works, and how to setup secure DNS services.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!