This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Suspicious DNS Query

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspicious DNS Query

CarthageCollege
L1 Bithead

‎03-28-2014 08:28 AM

Hi All -

Looking through my threat monitor and I am seeing a lot of Suspicious DNS Query entries in there.  I have two internal DNS servers, and the entries are for both of them -- the drop-all-packets action is being taken, so it's good the PA is stopping them.  If I had to take a guess, 90% of the entries in my entire threat monitor are the Suspicious DNS Query entries.  I've scanned and scanned and scanned my DNS servers (both Windows 2003 Server) for viruses and malware, but nothing is ever found.  I'm concerned about these even though the packets are being dropped.  Should I not be worried about them, is there something I can do to prevent them, or is it just the nature of DNS to query sites -- some of which may be associated with malware -- and I can't do anything?

Thanks!

Max

0 Likes Likes
3 REPLIES 3

CarthageCollege
L1 Bithead

‎03-28-2014 08:51 AM

OK.  Perhaps I posted that too soon.

I just found this:  Suspicious DNS Query - how to find source computer?.

It looks like the query isn't coming from my DNS server, but a host using my DNS server.  You can enable debugging on your DNS server and find the source computer.  I think it all makes sense now!

Max

0 Likes Likes

jvalentine
L7 Applicator
In response to CarthageCollege

‎03-28-2014 09:51 AM

The new DNS Sinkholing feature in PAN-OS 6.0 can help you identify the client that requested the malicious DNS entry without having to go to the DNS server. 

sbabu
L0 Member

‎10-24-2014 08:28 AM

Hi,

When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. However, if a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source when accessing malicious website. Please find the below document for your reference.

DNS Sinkhole Process with Internal DNS Server


Regards,

Sarath

0 Likes Likes
  • 3860 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks