Use DNS Queries to Identify Infected Hosts on the Network
Where Can I Use
This? | What Do I Need? |
The DNS sinkhole action in Anti-Spyware profiles enables the
firewall to forge a response to a DNS query for a known malicious
domain or to a custom domain, so that you can identify hosts on
your network that have been infected with malware. A compromised
host might initiate communication with a command-and-control (C2)
server—once the connection is made, an attacker can remotely control
the infected host, in order to further infiltrate the network or
exfiltrate data.
DNS queries to any domain included in the Palo Alto Networks
DNS signatures list is sinkholed to a Palo Alto Networks server
IP address.
The firewall has two sources of DNS signatures that it can use
to identify malicious and C2 domains:
(Requires an Advanced | Threat Prevention subscription)
Local DNS signatures—This is a limited, on-box set of DNS signatures
that the firewall can use to identify malicious domains. The firewall
gets new DNS signatures as part of daily antivirus updates.
(Requires a DNS Security subscription) DNS Security signatures—The
firewall accesses the Palo Alto Networks DNS Security cloud service
to check for malicious domains against the complete database of
DNS signatures. Certain signatures—that only DNS Security provides—can
uniquely detect C2 attacks that use machine learning techniques,
like domain generation algorithms (DGAs) and DNS tunneling. For
more information about the DNS Security subscription, refer to the
DNS Security guide.
If you want to specify a sinkhole action
for DNS Security signatures, you can configure those settings as
part of your
DNS Security profile.
DNS queries to domains in the local DNS signature set or the
DNS Security signature set are redirected to a Palo Alto Networks
server, and the host is unable to access the malicious domain. The
following topics provide details on how to enable DNS sinkholing
so that you can identify infected hosts.