I tried to find an answer for this, but I couldn't find it. If someone has already posted this question, apologies...
I just turned DNS sinkholing and it works as expected for root domains, for example:
nslookup kntsv.nl returns the DNS sinkhole IP of 71.19.152.112.
BUT...
If I do an nslookup of any subdomain of kntsv.nl, it returns a valid A record, for example:
nslookup testing.kntsv.nl returns the IP of 109.72.85.37.
My question... Why did the dns lookup for the subdomain work but not the root? I would think the Palo would mark *.kntsv.nl as malicious and return with the sinkhole IP.
Thanks in advance for the help.