08-09-2018 11:30 AM
I have dns sinkhole in place but the issue here is firewall is not stopping dns resolutions of old spyware(previous dynamic update version) sihgnatures/domains at dns level. Palo threat databse shows the domain as malware but no sinkhole action is taking place. Is this a known behaviour?
08-09-2018 01:07 PM
As long as it's still listed on threatvault you should still be seeing the request get sinkholed.
08-09-2018 01:09 PM
Thank you. But I am not seeing them. That is the issue. I may create a support cae.
Thanks.
08-09-2018 01:43 PM
Is this particular domain listed as DNS signature or "only" as malware URL category? If its the latter one, then this is actually "expected behaviour" because only a small percentage of malware domains are available as DNS signature. This is simply because the DNS signatures are far more static than the URL categories where the firewall is able to do a cloud lookup of an URL. Technically this would also be possible for DNS entries, but so far this isn't implemented this way.
08-09-2018 01:45 PM
That's a really good distinction to make. If it isn't listed as an actual signature then this is fully expected behaviour.
08-09-2018 01:48 PM
Thank you so much for the detailed explanantion.
I tested 2 domains. veedookij.tk and aol.cm
They both are listed as malware but only the first one is being resolved to sinkhole IP. I don't see any logic here.
**aol.cm used to resolve to sinkhole IP 2-3 weeks ago. I assume all signatures timeout after some specific timeperiod?
08-09-2018 02:02 PM
This I don't know exactly, but I assume it is something like you wrote (that the signatures time out) and probably also that paloalto makes the most dangerous domains available as DNS signature. As I wrote there is no cloud lookup for these so the capacity is limited. Specially when users can also configure their own domain EDL, the firewall will get to a point where the performance is affected when the firewall has to check hundreds of thousands entries for every DNS request. The cloud obviously scales a lot better with the URL database than a local one.
08-10-2018 05:42 AM
I agree about the performance but this for me, seems to be a major hole in security because my DNS sinkhole report omits all those old malicious connection requests(if any)
08-10-2018 06:00 AM
Unfortunately thats how it works right now. You could create a feature request for this DNS sinkhole cloud enhancement ...
Or build something similar on your internal DNS server where you sinkhole alle the public lists of malware domains... I know, not really what your looking for...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
