Testing Sinkhole DNS

L2 Linker

Testing Sinkhole DNS

Hello, all

 

I am testing Anti-Spyware DNS sinkhole. I set:

Sinkhole.png

 

I make policy with this profile.

 

For most DNS-names in category “Malware” и “Command and Control” (https://threatvault.paloaltonetworks.com/) i see nslookup answer, for example:

 

Addresses: ::1
127.0.0.1

And it is good.

 

But for two DNS-names: namecha.in, 4cdf1kuvlgl5zpb9.pmr.cc (Malware category too) sinkhole is not working and i see ip-adresses in nslookup answer.

 

What can be wrong? I need advice.

Yes, i can make my own external dynamic list, but why standart not working for malware?

 

 

L7 Applicator

Re: Testing Sinkhole DNS

@aaobuhov,

While namecha.in is present in the PAN-DB URL Classifications it doesn't look like it currently actually has an active DNS Signature in place, which is what the Sinkhole process would trigger on. It was first released in 2732, but it's not showing as being active in a current release. The other domain has the same issue, it isn't showing as having a current active signature. 

 

 

L2 Linker

Re: Testing Sinkhole DNS

Hello, BPy

 

It is clear for me now, what PAN-DB URL database is not same as PA DNS Signature database.

Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!