DNS sinkhole log action ons DNS rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS sinkhole log action ons DNS rule

L4 Transporter

https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891 explains how to configure DNS Sinkholing.

In step 3 the anti-spyware profile is added to the security rule that allows DNS traffic.

 

Does logging (at session end) need to be enabled on that rule for sinkholing to work ?

Or does it only have to be enabled on the rule that blocks access to the fake IP (as in step 4) ?

1 accepted solution

Accepted Solutions

To DNS Sinkhole to work. Then only thing you need is to apply the antispyware profile to the securiy policy.

 

Logging at start or logging at end is not related to the functionoing of the DNS sinkhole.

 

Logging are just to make sure that you can identify the infected host. However if you donot specify the logging option on the security policy in which the antispyware profile is applied you will not be able to get the logs but the dns sinkhole feature will still work.

 

Are you suspecting that your DNS sinkhole feature is not working?

 

Mark the correct answer.

View solution in original post

11 REPLIES 11

L5 Sessionator

Hi,

 

Blocking access to this fake IP is one thing but the aim is to be able to catch the infected laptop IP (instead of your DNS server IP) on your LAN (remediation ?). Then monitoring should be enable.

 

Hope help.

 

V.

All dns request come from our internal dns server. There's no useful information in the things that get logged. The question is: does PA need this logging enabled for the sinkhole feature to work ?

 

I am logging the deny action of the seperate sinkhole rule, which does contain useful information about (possibly infected) host.

To DNS Sinkhole to work. Then only thing you need is to apply the antispyware profile to the securiy policy.

 

Logging at start or logging at end is not related to the functionoing of the DNS sinkhole.

 

Logging are just to make sure that you can identify the infected host. However if you donot specify the logging option on the security policy in which the antispyware profile is applied you will not be able to get the logs but the dns sinkhole feature will still work.

 

Are you suspecting that your DNS sinkhole feature is not working?

 

Mark the correct answer.


@pakumar wrote:

Are you suspecting that your DNS sinkhole feature is not working?



I'm not sure. When trying a malicious url myself, it will get logged in the Deny rule for traffic to the fake ip. But it's hard to believe nobody else is in some way trying to connect to malicious url's for weeks. We have 300+ users...

 

Thank you for your answer.

Not exactly true.

 

1.  Client requests DNS resolution to malicious domain.

2.  Client request sent to internal DCs

3.  DCs forward query to recursives

4.  Recursives reach out to INet for mal domain.

5.  Palo responds with sinkhole IP

6.  Recursives take this IP and log it as mal domain IP

7.  Client attempts to go to sinkhole IP address.

 

So regardless of allowing or denying traffic to the sinkhole IP the action from the DNS servers or your clients will be logged.  Provided you've configured logging appropriately.

To test the functioning of sinkhole. Install the second highest antivirus update and check the release notes of the highest update and search for Suspicious DNS Query and then do a nslookup for the domains.

 

For example download and install 1629-2105 and check the release notes of 1629-2106. Search for Suspicious DNS Query you will get entry like this. Release notes you can get from support website go to dynamic update there you will get pdf for every release.

 

Suspicious DNS Query (generic:woyqqu 1 variants: com)

 

you can do nslookup as below [combine woyqqu and com]

nslookup woyqqu.com

 

You should get the DNS sinkhole address and in threat logs you can see the logs for DNS sinkhole.


Hope this helps

I'm not logging DNS request coming from our internal DNS servers. But even if I did, the "deny rule to fake ip" would not log the DNS request, since it's not connecting to the fake ip (it's just connecting to an external trusted DNS server).

 

To my understanding, the rule that allows DNS outside (the one with the sinkhole anti-spyware profile) doesn't even forward a DNS query for a malicious domain to an external DNS server. Instead the PA answers the DNS query with the fake ip.

Thanks.

Another way i found in the comments of https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891 , is querying the threat id's strarting at 4000001.

You are right. It doesn't matter whether you log or not DNS queries. 

And it also doesn't matter whether you allow or deny traffic to fake IP served by PA. You just need to make sure that any request to fake IP will get logged, usually it's http request or maybe SSL connect. 

Well, it seems to work ...

 

One reason why I doubted: I have a custom report mailed daily, but never got any hits for the sinkholing deny rule.

Turned out I had forgotten to enable the report to run on a schedule 😕

So the report was never actually generated... Dumb mistake 🙂

 

Happens 🙂

  • 1 accepted solution
  • 6380 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!