DNS sinkhole , some questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DNS sinkhole , some questions

L0 Member

 

I'm a SOC analyst, and we receive firewall logs regarding DNS sinkhole alerts. I'm trying to understand them better.

I have received multiple logs of this type, and I want to make sure I understand them correctly.

In this log, the domain that was queried was "s.w.org," right? I received multiple logs, and "generic:sr7pv7n5x.com" was present in all of them after the domain. What does this represent?

 

Also, does the sinkhole work only based on known databases of domains that have been flagged as malicious? Or will it also flag domains that appear suspicious, like "3123fsda11.xyz"?

Thank you so much; I appreciate it.

 

one of the logs we received :

 

<12>Jun 10 12:55:39 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:55:39,026701011826,THREAT,spyware,2816,2024/06/10 12:55:39,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:55:39,457116,1,51705,53,0,0,0x2000,udp,sinkhole,"s.w.org",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350092,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:55:39.509+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic

<12>Jun 10 12:57:03 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:57:03,026701011826,THREAT,spyware,2816,2024/06/10 12:57:03,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:57:03,730181,1,62138,53,0,0,0x2000,udp,sinkhole,"i.ytimg.com",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350559,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:57:03.901+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic

 

 

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @DavidMankivsky ,

 

The functionality of DNS sinkhole depends on the subscriptions on your firewall. With a threat prevention license, your firewall can sinkhole DNS requests using a predefined list of malicious domains provided by Palo Alto Networks.

However, if you have a DNS Security subscription in addition to the threat prevention license, that's where you have access to real-time protection. This includes advanced predictive analytics that can identify and flag not only known malicious domains but also suspicious domains that exhibit characteristics similar to those used by attackers, such as '3123fsda11.xyz

 

For the logs, it looks to me that there are two domains that the client is trying to resolve (I would double-check with the actual logs populated on the firewall):


1. "s.w.org"
2. "i.ytimg.com"

 

The (generic:sr7pv7n5x.com)(638487393) looks to be the (Threat Signature Name)(Unique Threat ID). You can access the Palo Alto Networks Threat Vault and search for that unique threat ID.

 

Hope this helps!

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

2 REPLIES 2

Community Team Member

Hi @DavidMankivsky ,

 

The functionality of DNS sinkhole depends on the subscriptions on your firewall. With a threat prevention license, your firewall can sinkhole DNS requests using a predefined list of malicious domains provided by Palo Alto Networks.

However, if you have a DNS Security subscription in addition to the threat prevention license, that's where you have access to real-time protection. This includes advanced predictive analytics that can identify and flag not only known malicious domains but also suspicious domains that exhibit characteristics similar to those used by attackers, such as '3123fsda11.xyz

 

For the logs, it looks to me that there are two domains that the client is trying to resolve (I would double-check with the actual logs populated on the firewall):


1. "s.w.org"
2. "i.ytimg.com"

 

The (generic:sr7pv7n5x.com)(638487393) looks to be the (Threat Signature Name)(Unique Threat ID). You can access the Palo Alto Networks Threat Vault and search for that unique threat ID.

 

Hope this helps!

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thank you Jay! you helped me a lot

  • 1 accepted solution
  • 2055 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!