DNS Sinkhole Verification and Reporting
Verify that traffic is logged properly for traffic going from the client host in the Trust zone to the new Sinkhole zone. In this example, the infected client host is 192.168.2.10 and the Sinkhole IPv4 address is 10.15.0.20.
From the client host, open a command prompt and run the following command:
The following example output shows the ping request and the result, which is
Request timed out
because there is no physical host assigned to the sinkhole IP address.
Pinging 10.15.0.20 with 32 bytes of data:Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
On the firewall, select
Monitor > Logs > Traffic
and find the log entry with the Source 192.168.2.10 and Destination 10.15.0.20. This will confirm that the traffic to the sinkhole IP is traversing the firewall zones.
You can search and/or filter the logs and only show logs with the destination 10.15.0.20. To do this, click the IP address (10.15.0.20) in the
column, which will add the filter (addr.dst in 10.15.0.20) to the search field. Click the Apply Filter icon to the right of the search field to apply the filter. The following screenshot shows the log with the filter applied.
Now that the zones are configured properly, test that the DNS Signatures will perform the sinkhole action when a malware domain is accessed from the client host. This is similar to the action that would be performed if the client host was infected and the malicious application was attempting to reach a hacker server using DNS queries.
In this example, the URL track.bidtrk.com will be used for testing. This is a domain that is listed in the DNS Signatures database and is identified as being malicious, but it is possible that your Antivirus signature DB does not have this domain. To find a valid malicious domain for testing, see the information that follows this step.
From the client host, open a command prompt.
Perform an NSLOOKUP on the URL,
In the above output, note that the NSLOOKUP to the malicious domain has been forged using the sinkhole IP addresses that were configured. Because the domain matched a malicious DNS signature, the sinkhole action was performed.
View the threat log to see if the correct action was taken on the NSLOOKUP request. Select
Monitor > Logs > Threat.
Perform a ping to
, which will generate network traffic to the sinkhole address. This traffic will be used later in our example to generate a report to find infected hosts.
How to find a valid malicious domain for testing?
This information will ensure that you are using a valid malicious domain, based on the current version of the antivirus signature database that is installed on your system. The DNS Signatures used to identify malicious domain is only part of the full antivirus signature database, which contains hundreds of thousands of signatures.
Perform the following steps to find a malicious domain for testing:
Device > Dynamic
and in the
section click the
link for the current antivirus DB that is installed. You can also find the antivirus release notes on the support site in Dynamic Updates. In most cases, the signature update is an incremental update, so only new viruses and DNS signatures are listed. There are many antivirus signatures and DNS signatures that will already be installed on the firewall.
In the second column of the release note, locate a line item with a domain extension (com, edu, net, and so on).
The left column will show the domain name. For example, in Antivirus release 1117-1560, there is an item in the left column named "tbsbana" and the right column lists "net".
To test, from a command prompt, run
A sinkhole action should occur and the domain should resolve to the defined sinkhole address because the domain is verified in the antivirus DB that is installed on the firewall.
The following shows the content in the release note for this line item:
conficker:tbsbana 1 variants: net
To view reports, you can use App Scope to view infected client hosts, or create custom reports.
To view from App Scope, select
Monitor > App Scope
button along the top of the display page.
Select a time range. In this example, select
Last 24 hours.
The following screenshot shows three instances of Suspicious DNS queries, which were generated when the test client host performed an NSLOOKUP on a known malicious domain. Click the graph on the firewall to see more details about the event.
Configure a custom report that will identify all client hosts that have sent traffic to the sinkhole IP address, which is 10.15.0.20 in this example.
There are several ways to be alerted on these events, such as SNMP traps, sending to a Syslog server and/or Panorama.
In this example, the infected client host performed an NSLOOKUP to a known malicious domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred, the query was sent to the local DNS server, which then forwarded the request through the firewall to an external DNS server. The firewall security policy with the Anti-Spyware profile configured matched the query to the DNS Signature database, which then forged the reply using the sinkhole address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client attempts to start a session and the traffic log records the activity with the source host and the destination address, which is now directed to the forged sinkhole address.
Viewing the traffic log on the firewall allows you to identify any client host that is sending traffic to the sinkhole address. In this example, the logs show that the source address 192.168.2.10 sent the malicious DNS query. The host can then be found and cleaned. Without the DNS sinkhole option, the administrator would only see the local DNS server as the system that performed the query and would not see the client host that is infected. If you attempted to run a report on the threat log using the action “Sinkhole”, the log would show the local DNS server, not the infected host.
Monitor > Manage Custom Reports.
and name the report, for example my-sinkhole-report.
Define the custom report. This example uses the following report definitions:
—Choose the detailed threat log, which is displayed as
and the report will run every night. To view scheduled reports that have run, select
Monitor > Reports.
—Source address, Source User, Destination address. The critical fields are
(if you have User-ID configured), which will identify the infected client host in the report, and
Destination address, which will be the sinkhole address.
In the section at the bottom of the screen, create a custom query for the action sinkhole. Either enter the following in the
addr.dst in 10.15.0.20
), or select the following in each column and click
Add: Connector = and, Attribute = Destination Address, Operator = in, and Value = 10.15.0.20. Click
to add the query.
to run the report. The report will show all client hosts that have sent traffic to the sinkhole address, which indicates that they are most likely infected. These hosts should be tracked down and checked for spyware.