Who Me Too'd this topic

Who Me Too'd this topic

L1 Bithead

DNS Sinkholing subdomains of known bad domains

I tried to find an answer for this, but I couldn't find it. If someone has already posted this question, apologies...

 

I just turned DNS sinkholing and it works as expected for root domains, for example:

 

nslookup kntsv.nl returns the DNS sinkhole IP of 71.19.152.112.

 

BUT...

 

If I do an nslookup of any subdomain of kntsv.nl, it returns a valid A record, for example:

 

nslookup testing.kntsv.nl returns the IP of 109.72.85.37.

 

My question... Why did the dns lookup for the subdomain work but not the root? I would think the Palo would mark *.kntsv.nl as malicious and return with the sinkhole IP.

 

Thanks in advance for the help.

Who Me Too'd this topic