08-10-2025 11:14 PM
As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware.
I can't find a matching log anywhere to indicate the IP which made the DNS request to the Palo's DNS proxy. I'd appreciate some direction.
I'm aware some privacy apps use onion, this is just a generic example from the top of my logs. Many other examples which are virtually identical but for other spyware threats, all blocked the same way with no way to track the source.
Example:
| Receive Time | Threat/Content Type | Source address | Destination address | NAT Source IP | NAT Destination IP | Application | Source Zone | Destination Zone | URL/Filename | Threat/Content Name |
| 11/08/2025 15:18 | spyware | [DNS-Proxy IP] | 1.0.0.1 | [external IP] | 1.0.0.1 | dns-base | [guest] | untrust | google.com.onion | Proxy:onion(109010004) |
| 11/08/2025 15:18 | spyware | [DNS-Proxy IP] | 1.0.0.1 | [external IP] | 1.0.0.1 | dns-base | [guest] | untrust | google.com.onion | Proxy:onion(109010004) |
| 11/08/2025 15:17 | spyware | [DNS-Proxy IP] | 1.0.0.1 | [external IP] | 1.0.0.1 | dns-base | [guest] | untrust | google.com.onion | Proxy:onion(109010004) |
08-18-2025 02:34 AM
you can switch to DNS sinkhole instead of blocking. This will poison the malicious DNS reply with your own (or Palo's) sinkhole IP and you'll see the original client make connections to that IP as it received a DNS reply and will now try to connect to it
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
