12-21-2022 12:45 AM
Dear and valuable Live Community Members,
One of our customers came to us with some questions in regard to the issues he is facing to correlate the logs for DNS Sinkhole, and we are wondering if there is a solution to it.
The customer currently has the following situation:
• Rule ‘DNS_Service’: this rule will allow DNS traffic from the FSMA Infobloxes towards the NRB Infobloxes, all external DNS requests will pass via this rule.
And the customer only sees the traffic between the infobloxes themselves. This rule has an anti-spyware profile attached with the DNS security feature enabled which results in the sinkhole action (spoof DNS reply IP) where needed.
• Rule ‘sinkhole’ will show you the actual client IP which tries to connect to a sinkhole IP (so does a connection to the spoofed DNS reply IP) indicating a potentially infected client machine.
The problem the customer has is that he doesn't have a real correlation between the logs. In the logs for the rule 'sinkhole' he can see the client IP address but doesn't see the domain requested. And in the rule 'DNS service' he can see the domain request but here we're missing the client IP addresses because the source is the DNS servers...
After checking the documentation in regard to this matter we've found the KB: "Client Using Internal DNS Server" and the below info:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.
Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.
---------------------------------------------------------------------------------------------------------
Also as per info found in one of the conversations on a similar topic we've advised the customer that he might try to generate a custom report using the "sinkhole action" as a filter in the query builder to collect the data.
The customer is asking if that's limited by the design, or if there is another way the customer could feed more info in the logs.
Is there maybe any other way to correlate the logs for DNS Sinkhole?
We will appreciate your help and guidance with the above queries. And please let me know if that's something we should be asking the TAC.
Thank you in advance!
Cheers!
12-22-2022 11:29 AM
Hello,
Does the customer have a SIEM they can send all the logs to? SIEM's do a good job of correlating data such as this.
Regards,
12-23-2022 02:44 AM
Hi,
Thank you for your suggestion. We'll be looking into this.
And check with the customer if it's something that will work for him.
I'll keep you posted!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
