Suspicious DNS Query - how to find source computer?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mikand
L6 Presenter

What about creating a new VSYS on your PA device and attach 2 interfaces to it which you configure as VWIRE and then plug that between your DNS and the rest of the network?

Oh and in this VSYS configure it only for alterting to not disturb the flows (that is unless you wish to block the queries with the help of the PA).

_slv_
L4 Transporter

Mikand: I know that VWIRE is better (easier) than SPAN port on switch.

At the moment I have a lot of things to do and I haven't time for it.

I have PA200 and I'm not sure that I can create second VSYS, and I'm sure that I ran out of free Security zones (I have used 10 at the moment).

But if you can help me on priv (I 'm alsomst newbe in PAN) we can do it.

At the moment I isolated problem. This suspicius reguest comes from my WiFi networks, so its mean that from private users computers. Thats good for me :smileyhappy:

lpham
L0 Member

You'll have to enable dns debug file on your dns server to get the level of detail you need to find the sources of the dns requests.

Here's how; (Warning: Microsoft recommends only keeping dns debug captures enabled temporarily)

1. Login to server

2. Open dnsmgmt - (Administrative tools -> DNS)

3. Right Click on your server object and select properties

4. Select Debug Logging

5. Put check mark on;

     Packet Direction [Outgoing and Incoming]

     Packet Contents [ Queries/Transfer]

     Transfer Protocol [UDP/TCP]

     Packet type [Request/Response]

6. Choose where you want the debug file created and make sure you have enough space to hold the files.

7. Select OK

8. Done

Now just go into the threat log of Palo Alto, find the dns name ie. google then search [Ctrl+F] for that URL in the dns debug file . Make sure to only search for the URL without the suffix at the end. (example: google.com - only look for google as the dns debug format substitutes dots for a format like "(6)" .)

That is the quick and dirty way to find it. If you have hundreds of entries from multiple sources, you will need to create a script. I wrote a VB script for this very purpose to find Conficker infected hosts on my network. It's 100% accurate. If anyone wants a copy, reply back to me and I can post the code.

networkadmin
L4 Transporter

Just to say I found this thread really beneficial.  We only allow our AD servers to do outbound DNS queries and it never occurred to me that spyware signatures would check DNS traffic - enabled it and cleared the DNS server caches and sure enough had a ping for a nice piece of webwebgo crapware :smileyhappy:

jkim2
L3 Networker

use the dns sinkhole feature in 6.0 this is what its meant for.

user makes dns request , dns server performs look up, palo alto picks this up via dns signature then returns sink hole ip . User then tries to connect to the sinkhole ip and its will get recorded in the traffic logs as such.

How to Configure DNS Sinkholing on PAN-OS 6.0

sbabu
L0 Member

Hi,

Please find the below document for the same.

DNS Sinkhole Process with Internal DNS Server

Regards,

Sarath

MMCiobanu
L3 Networker

I have configured DNS sinkole, but it does not sinkhole these DNS requests (torpig):

Bot: Torpig Phone Home DNS request

12657

I believe sinkhole threat IDs can be between 4000000 and 4999999 on paloalto.

I don't know why torpig is not included.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!