Use DNS Queries to Identify Infected Hosts on the Network
The DNS sinkhole action in Anti-Spyware profiles enables
the firewall to forge a response to a DNS query for a known malicious
domain or to a custom domain, so that you can identify hosts on
your network that have been infected with malware. A compromised
host might initiate communication with a command-and-control (C2)
server—once the connection is made, an attacker can remotely control
the infected host, in order to further infiltrate the network or
exfiltrate data.
DNS queries to any domain included in the Palo Alto Networks
DNS signatures list is sinkholed to a Palo Alto Networks server
IP address.
The firewall has two sources of DNS signatures that it can use
to identify malicious and C2 domains:
(Requires Threat Prevention) Local DNS signatures—This
is a limited, on-box set of DNS signatures that the firewall can
use to identify malicious domains. The firewall gets new DNS signatures
as part of daily antivirus updates.
(Requires DNS Security)
DNS Security signatures—The firewall accesses the Palo Alto Networks
DNS Security cloud service to check for malicious domains against
the complete database of DNS signatures. Certain signatures—that
only DNS Security provides—can uniquely detect C2 attacks that use
machine learning techniques, like domain generation algorithms (DGAs)
and DNS tunneling.
DNS queries to domains in the local DNS signature set or the
DNS Security signature set are redirected to a Palo Alto Networks
server, and the host is unable to access the malicious domain. The
following topics provide details on how to enable DNS sinkholing
so that you can identify infected hosts.