Finding IP of threat blocked via DNS Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Finding IP of threat blocked via DNS Proxy

L0 Member

As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware.

 

I can't find a matching log anywhere to indicate the IP which made the DNS request to the Palo's DNS proxy. I'd appreciate some direction.

I'm aware some privacy apps use onion, this is just a generic example from the top of my logs. Many other examples which are virtually identical but for other spyware threats, all blocked the same way with no way to track the source.

 

Example:

Receive Time Threat/Content Type Source address Destination address NAT Source IP NAT Destination IP Application Source Zone Destination Zone URL/Filename Threat/Content Name
11/08/2025 15:18 spyware [DNS-Proxy IP] 1.0.0.1 [external IP] 1.0.0.1 dns-base [guest] untrust google.com.onion Proxy:onion(109010004)
11/08/2025 15:18 spyware [DNS-Proxy IP] 1.0.0.1 [external IP] 1.0.0.1 dns-base [guest] untrust google.com.onion Proxy:onion(109010004)
11/08/2025 15:17 spyware [DNS-Proxy IP] 1.0.0.1 [external IP] 1.0.0.1 dns-base [guest] untrust google.com.onion Proxy:onion(109010004)
1 REPLY 1

Cyber Elite
Cyber Elite

you can switch to DNS sinkhole instead of blocking. This will poison the malicious DNS reply with your own (or Palo's) sinkhole IP and you'll see the original client make connections to that IP as it received a DNS reply and will now try to connect to it

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 396 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!