DNS sinkhole not blocking malware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS sinkhole not blocking malware

L4 Transporter

PC does DNS query, which gets inspected and is not sinkholed. PC then sends traffic to resolved address which gets inspected and blocked as malware. This is the pattern i am seeing right now and this is not for a single domain. 

 

I am not saying sinkhole is not working, it is working but not for all destinations. Below is the example of both sinkhole and threat block. Source IP's are in the same subnet using same rule when quering for DNS.

 

It seems even though firewall has knowledge of destination associated with malware it will still not block it at the DNS phase. 

 

image.pngimage.png

1 accepted solution

Accepted Solutions

The best security is always layered, just in case one layer fails

 

The external DNS service may provide 'better' coverage as the sinkhole signatures are updated periodically and run on a optimized database to address the most active malware domains where the external service's database could be larger, but slower (sinkhole runs on-device and intercepts all DNS while the external DNS service requires lookups and properly configured clients)

 

In addition to the sinkhole signatures, URL filtering provides a larger repository of malware (and other 'bad') classified domains (pandb) that do support live cloud lookups so when a malware is detected through any one of our many mechanisms, that database will be updated immediately and the verdict will be permeated down to the other services (sinkhole signature, among others)

 

and lastly, there's still the content scanning of actual malware where we can identify and block all kinds of malware (signature, heuristics, ..)

 

While the firewall offers many layers of protection, it's never a bad thing to add more 😉 Then if the external service doesn't have a domain listed as malware, at least the firewall will protect the network 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @raji_toor

 

There are two different databases behind there two features, which means that something that is categorized as malware in URL filtering does not need to be also in the DNS signatures. In addition with URL filtering it is possible that the domain is categorized as business-and-economy while a subfolder is categorized as malware. Another difference is also that the DNS signatures are more "static" than URL filtering. DNS signatures are updated with the antivirus updates and contain always the full list of DNS signatures which is  limited in the way this feature is designed. This DNS signatures simply cannot contain ALL malware, phishing, spyware domains as the list would simply be too big. With urlfiltering the firewall has a local cache of URL and if it does not know the category for a particular URL, it queries the cloud for the category.

So what you saw in your logs is actually expected behaviour. If you want to request a change here for something like a cloud lookup for the DNS sinkhole feature, ask your SE to create a feature request for that.

 

Regards,

Remo

@Remo I as an administrator can see that firewall is blocking malware either through DNS / URL filtering. There are DNS solutions which claim to stop malware just based on DNS. So when we pointed our DNS to them, PA is not doing sinkhole while this DNS provider is blocking them. PA is blocking them but at a later step. For higher management this third party DNS solution is working well over PA.

The best security is always layered, just in case one layer fails

 

The external DNS service may provide 'better' coverage as the sinkhole signatures are updated periodically and run on a optimized database to address the most active malware domains where the external service's database could be larger, but slower (sinkhole runs on-device and intercepts all DNS while the external DNS service requires lookups and properly configured clients)

 

In addition to the sinkhole signatures, URL filtering provides a larger repository of malware (and other 'bad') classified domains (pandb) that do support live cloud lookups so when a malware is detected through any one of our many mechanisms, that database will be updated immediately and the verdict will be permeated down to the other services (sinkhole signature, among others)

 

and lastly, there's still the content scanning of actual malware where we can identify and block all kinds of malware (signature, heuristics, ..)

 

While the firewall offers many layers of protection, it's never a bad thing to add more 😉 Then if the external service doesn't have a domain listed as malware, at least the firewall will protect the network 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 3592 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!