Who Me Too'd this topic

Who Me Too'd this topic

L1 Bithead

DNS Sinkholing subdomains of known bad domains

I tried to find an answer for this, but I couldn't find it. If someone has already posted this question, apologies...


I just turned DNS sinkholing and it works as expected for root domains, for example:


nslookup kntsv.nl returns the DNS sinkhole IP of




If I do an nslookup of any subdomain of kntsv.nl, it returns a valid A record, for example:


nslookup testing.kntsv.nl returns the IP of


My question... Why did the dns lookup for the subdomain work but not the root? I would think the Palo would mark *.kntsv.nl as malicious and return with the sinkhole IP.


Thanks in advance for the help.

Who Me Too'd this topic