02-25-2016 08:25 AM
Hello, has anyone had any problems with DNS sinkhole not triggering on PAN-OS 6.1.4 ?
I have created a security policy for DNS traffic between a LAN side DNS server and a WAN side upstream DNS server, the Palo sits at the WAN edge between the two DNS servers. Attached to this security policy is an Anti-spyware security policy with DNS action alert. This works as expected, alerting every time a query for a known malicious domain is seen, so no problem seeing the traffic albeit with the LAN side DNS server as the source IP address.
So with a duplicate (higher) security rule and spyware policy now set to sinkhole, the traffic is seen as "DNS" by this new rule but does not trigger the treat and so does not receive the sinkhole IP address I have set.
Any help would be greatly appreciated.
02-25-2016 10:10 AM
Check out this doc it will surely help if the dns sinkhole is configured properly.
02-25-2016 10:12 AM
Make sure that the antivirus update are consecutive. Highest and second highest
02-25-2016 10:12 AM
So you've got an Anti-Spyware policy set up like this:
With no logs in threat that look like this?
Do you have any "Traffic" logs of hosts going to your sinkhole IP?
02-29-2016 01:40 AM
Thanks for the response, for further info as of today we are running AV 1797-2276 and I have performed further tests.
My sinkhole spyware profile is configured like this:
I then attempt to lookup a known malicious domain. In the traffic logs I can see that my test traffic hits the correct security rule that should apply the dns sinkhole IP address. However it does not sinkhole the traffic and does not trigger a threat log for spyware domain.
Using packet capture I can see that my query contains the known malicious domain as below:
Does anyone have any further thoughts that may help please?
02-29-2016 05:21 AM
If you will check the url cateogry as malicious then it will/may not trigger the sinkhole. Check the link that I have sent you follow it once just for testing.
download and install antivirus 1797-2276 and do the dns lookup for "d1e9me*d3jmum*com" replace * with .
03-02-2016 08:12 PM
Not sure how the client is trying to connect to the sinkhole IP addres if it's receiving an error code in the DNS response instead of the sinkhole IP address (unless the packet capture is missing something). By any chance is the client using an internal DNS server?
From RFC 1035 (DNS) the response "no such name"
3 Name Error - Meaningful only for
responses from an authoritative name
server, this code signifies that the
domain name referenced in the query does
not exist.
03-02-2016 11:56 PM
Yeah, check who is sending those 'no such name' responses. That can't be PA.
03-04-2016 12:58 AM
Hello, it is the remote DNS server sending the "no such name" response. However what I was expecting is that for the reason the lookup contains a known malware domain it would trigger the PA to respond with the Sinkhole IP instead. Instead its not seen as Malware so does not trigger the sinkhole. I'm going to be spending some time next week looking at this again and will update.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
