01-29-2020 07:30 AM - edited 01-29-2020 07:32 AM
We are finding that even domains configured as malware/c2 are not getting sinkholed. I'm aware from other posts, that these are not the same database on the firewall.
Why are these not persistent? Why would you not flag on a DNS lookup that is out to resolve a malware/c2 domain - and NOT sinkhole it? Is the DNS database something that get's updated with the code release version, and is this why Palo came out with the DNS security service? We have other products that are flagging on domains that are clearly marked as malware- but palo is letting them resolve.
01-29-2020 08:19 AM
Hello,
This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider.
Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.
In addition to this follow the PAN best practices and decrypt SSL where you can.
Regards,
01-29-2020 08:19 AM
Hello,
This is why a multi layered approach is the best approach. As to why, that is for PAN to answer as to what is and is not sinkholed. URL filtering should also be used for this. In addition to this use the the Palo Alto EBL's and a secure DNS provider.
Only allow DNS servers to go out over DNS/53UDP and block local machine to do so. Also point your DNS servers to a secure provider. While Palo Alto has a service, there are others out there, some at no charge, OpenDNS, TitanHQ, Quad9.
In addition to this follow the PAN best practices and decrypt SSL where you can.
Regards,
01-29-2020 10:58 AM
Thank you for the reply. I just don't understand why the palo would allow resolution requests over udp/53 - for known malware domains? - What good is sinkholing if it doesn't sinkhole?
01-29-2020 02:40 PM
Hello,
So here could be the reason:
Suspicious DNS Query signatures are looking for DNS resolution to domains potentially associated with C2 traffic, which could be an indication of a breached machine.
So what the sinkhole is looking for and blocking, are C2 communications, not really all bad domains.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5kCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC
Hope that helps clarify things.
01-29-2020 06:54 PM - edited 01-29-2020 07:33 PM
Interesting. One of the domains was marked as c2. I could still get a resolution on it though. Even though other domains I could confirm were getting sinkholed. So i'm not sure now they are missing that?
Either way, Props @OtakarKlier for the good reply on how this works, and how to setup secure DNS services.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
