Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
04-02-2018 09:06 AM
Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1
https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1
04-02-2018 12:29 PM
Hello,
I was thinking the same thing when I saw the article. Since we only allow our AD servers to go out for DNS resolution and all our clients point internally to the AD servers, its not going to be a big deal for us. We use least privelged deny all allow by exception in our policies. If you allow clients to reach out to external sources for DNS, then use the Palo Alto alternative IP.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891
Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (71.19.152.112).
Hope that helps.
Regards,
04-11-2018 12:33 AM
For the record, the official recommendation is to use the predefined provided IP address, or 71.19.152.112, as shown below (predefined IP's may vary depending on your region)
The occasional 1.1.1.1 showing up in knowledge base articles are basically the author (myself included, i'll admit that) being lazy. We're in the process of cleaning that up though. please don't use 1.1.1.1 😉
04-11-2018 07:44 AM
@reaper Thanks for the info. BTW it looks like 71.19.152.112 resolves to prgmr.com. FWIW our predefined is 72.5.65.111
side note to anyone alerting on sinkholes from a SEIM if you change the sinkhole IP make sure to change your alert triggers
04-12-2018 08:34 AM
As today Palo official sinkhole does not provide any additional benefit (reply to HTTP requests etc) I prefer to use custom IP. Any hard coded IP makes malware easy to identify that it is being fooled by Palo 🙂
04-13-2018 01:06 AM
@Raido_Rattameister you could consider setting up your own honeypot and redirecting any sinkholes there
The predefined sinkhole IP truly discards everything, but is an internet IP so 'smart' malware is less likely to detect it is a false IP (if it checks for private ip DNS replies to identify it is being blackholed)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
