DNS Sinkhole Intended Destination

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS Sinkhole Intended Destination

L1 Bithead

I've configured a DNS sinkhole in our PAN firewall, and it's helped our department identify machines that are trying to reach out to malicious domains and such. Is it possible to identify the original, intended, destination that the user was attempting to reach when they became innfected? 

2 REPLIES 2

L6 Presenter

If you reslove the URLs in those DNS queries you will get IPs of C&C servers.

 

The original source of the infection will not be so easy to find.

For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection or USB stick you won't find much info on firewall. 

 

 

Thanks for the reply, Santonic. 

  • 1965 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!