Learn about the DGA detection features of the DNS Security Service.
Domain generation algorithms (DGAs) are used to auto-generate domains,
typically in large numbers within the context of establishing a
malicious command-and-control (C2) communications channel. DGA-based
malware (such as Pushdo, BankPatch, and CryptoLocker) limit the
number of domains from being blocked by hiding the location of their
active C2 servers within a large number of possible suspects, and
can be algorithmically generated based on factors such as time of
day, cryptographic keys, or other unique values. While most domains
generated by a DGA do not resolve as a valid domain, they must all
be identified to fully defend against a given threat. DGA analysis
determines whether a domain is likely to have been generated by
a machine, rather than a person, by reverse-engineering and analyzing
other frequently used techniques found in DGAs. Palo Alto Networks then
uses these characteristics to identify and block previously unknown
DGA-based threats in real-time.
You can analyze the sinkholed DNS queries by viewing the threat
logs (Monitor > Logs, then select the log
type from the list):