Hi Everyone, i need your help to better undestand how DNS Sinkhole actually works. I mean, i know how it works, how to configure it, but i'm facing a strange behaviour i cannot understand. In the photo i have uploaded i have an example. Both source and destination are in the same subnet (i have obscured the first two octects for privacy) the destination of the log (99.7) should be the client trying to contact the C2 domain, but the source doesn't exists! It's not the interface IP of PA, nor a host in the subnet! this is not the only log showing this, there are many of them, and every one have this particularity: the source is always a previous or following IP (for example, if the destination IP is 99.100, i can find sources 99.99 or 99.101, and so on). Can someone who better knows this function heelp me understand what is happening? Regards, Daniele
... View more