Suspicious DNS Query

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspicious DNS Query

L1 Bithead

Hi All -

Looking through my threat monitor and I am seeing a lot of Suspicious DNS Query entries in there.  I have two internal DNS servers, and the entries are for both of them -- the drop-all-packets action is being taken, so it's good the PA is stopping them.  If I had to take a guess, 90% of the entries in my entire threat monitor are the Suspicious DNS Query entries.  I've scanned and scanned and scanned my DNS servers (both Windows 2003 Server) for viruses and malware, but nothing is ever found.  I'm concerned about these even though the packets are being dropped.  Should I not be worried about them, is there something I can do to prevent them, or is it just the nature of DNS to query sites -- some of which may be associated with malware -- and I can't do anything?




L1 Bithead

OK.  Perhaps I posted that too soon.

I just found this:  Suspicious DNS Query - how to find source computer?.

It looks like the query isn't coming from my DNS server, but a host using my DNS server.  You can enable debugging on your DNS server and find the source computer.  I think it all makes sense now!


The new DNS Sinkholing feature in PAN-OS 6.0 can help you identify the client that requested the malicious DNS entry without having to go to the DNS server. 

L0 Member


When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. However, if a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source when accessing malicious website. Please find the below document for your reference.

DNS Sinkhole Process with Internal DNS Server



  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!