>
    Strata Copilot
    See Infected Hosts that Attempted to Connect to a Malicious Domain
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced Threat Prevention Powered by Precision AI®
    3. Configure Threat Prevention
    4. Use DNS Queries to Identify Infected Hosts on the Network
    5. See Infected Hosts that Attempted to Connect to a Malicious Domain
    Download PDF
    Advanced Threat Prevention Powered by Precision AI®

    See Infected Hosts that Attempted to Connect to a Malicious Domain

    Table of Contents

    See Infected Hosts that Attempted to Connect to a Malicious Domain

    Monitor traffic to your sinkhole address to track and remediate infected hosts. Log analysis helps you identify compromised devices and eliminate threats from your network effectively.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • VM-Series
    • CN-Series
    • Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License
    Maintaining a robust DNS sinkholing strategy requires a consistent transition from detection to active remediation. Once the redirection of malicious queries is verified, the firewall serves as a critical visibility point by capturing every attempt a compromised device makes to connect with the forged sinkhole IP address. Because these connection attempts are recorded in the traffic logs, they provide the necessary data to bridge the gap between a suspicious DNS request and the specific internal host that initiated it.
    Regularly auditing these logs allows security teams to efficiently track down infected devices that might otherwise remain hidden behind local DNS resolvers. By filtering for your designated sinkhole destination, you can isolate the source IP addresses of compromised systems and begin the containment process. This high-level visibility is essential for stopping the progression of an attack, as it identifies "patient zero" before malware can move laterally or begin exfiltrating sensitive data.
    • Use App Scope to identify infected client hosts.
      1. Select MonitorApp Scope and select Threat Monitor.
      2. Click the Show spyware button along the top of the display page.
      3. Select a time range.
        The following screenshot shows three instances of Suspicious DNS queries, which were generated when the test client host performed an NSLOOKUP on a known malicious domain. Click the graph to see more details about the event.
    • Configure a custom report to identify all client hosts that have sent traffic to the sinkhole IP address, which is 10.15.0.20 in this example.
      Forward to an SNMP manager, Syslog server and/or Panorama to enable alerts on these events.
      In this example, the infected client host performed an NSLOOKUP to a known malicious domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred, the query was sent to the local DNS server, which then forwarded the request through the firewall to an external DNS server. The firewall security policy with the Anti-Spyware profile configured matched the query to the DNS Signature database, which then forged the reply using the sinkhole address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client attempts to start a session and the traffic log records the activity with the source host and the destination address, which is now directed to the forged sinkhole address.
      Viewing the traffic log on the firewall allows you to identify any client host that is sending traffic to the sinkhole address. In this example, the logs show that the source address 192.168.2.10 sent the malicious DNS query. The host can then be found and cleaned. Without the DNS sinkhole option, the administrator would only see the local DNS server as the system that performed the query and would not see the client host that is infected. If you attempted to run a report on the threat log using the action “Sinkhole”, the log would show the local DNS server, not the infected host.
      1. Select MonitorManage Custom Reports.
      2. Click Add and Name the report.
      3. Define a custom report that captures traffic to the sinkhole address as follows:
        • Database—Select Traffic Log.
        • Scheduled—Enable Scheduled and the report will run every night.
        • Time Frame—30 days
        • Selected Columns—Select Source address or Source User (if you have User-ID configured), which will identify the infected client host in the report, and Destination address, which will be the sinkhole address.
        • In the section at the bottom of the screen, create a custom query for traffic to the sinkhole address (10.15.0.20 in this example). You can either enter the destination address in the Query Builder window (addr.dst in 10.15.0.20) or select the following in each column and click Add: Connector = and, Attribute = Destination Address, Operator = in, and Value = 10.15.0.20. Click Add to add the query.
      4. Click Run Now to run the report. The report will show all client hosts that have sent traffic to the sinkhole address, which indicates that they are most likely infected. You can now track down the hosts and check them for spyware.
      5. To view scheduled reports that have run, select MonitorReports.

    © 2026 Palo Alto Networks, Inc. All rights reserved.