Palo Alto Networks Knowledgebase: How to Verify DNS Sinkhole Function is Working

How to Verify DNS Sinkhole Function is Working

21657
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM
URL Filtering
Resolution

Details

This document is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall.

The following 2 scenarios are covered:

  • Client Using External DNS Server
  • Client Using Internal DNS Server

 

DNS Sinkhole Configuration

For information on How to Configure DNS Sinkhole, please see:

How to Configure DNS Sinkhole

 

Also, we have a Video Tutorial on How to Configure DNS Sinkhole:

Video Tutorial: How to Configure DNS Sinkhole

 

Client Using External DNS Server

Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the data center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server.

 

When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source.

  1. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system.
  2. The  firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source.

diag 1.png

Client TCP/IP Properties Configuration

Review the following config example:

sinkhole -ip config.png

 

Threat Logs

When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website:sinkhole - threat log.png

 

 

Client Output When Using External DNS Server

$ nslookup 79fe3m5f4nx8c1.pmr.cc
Server:        195.130.131.4
Address:    195.130.131.4#53

Non-authoritative answer:
Name:    79fe3m5f4nx8c1.pmr.cc
Address: 72.5.65.111

The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus showing that the DNS Sinkhole is working as desired.

 

Client Using Internal DNS Server

If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.

 

Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.

 

Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.

 

The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot:sinkhole diag 2.png

 

Client TCP/IP Properties Configurationsinkhole -ip config 2.png

 

 

Threat Logs

In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website.sinkhole - threat dns server internal.png

 

 

Traffic Logs

However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below:sinkhole - traffic log.png

 

 

Client Output When Using Internal DNS Server

$ nslookup 4cdf1kuvlgl5zpb9.pmr.cc
Server:        192.168.27.189
Address:    192.168.27.189#53

Non-authoritative answer:
Name:    4cdf1kuvlgl5zpb9.pmr.cc
Address: 72.5.65.111

The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired.

 

See Also

How to Deal with Conficker using DNS Sinkhole

Where to get suspicious DNS query for testing DNS Sinkhole

 

For Video Tutorials on DNS Sinkhole, please see:

Video Tutorial: How to Configure DNS Sinkhole

Video Tutorial: How to Verify DNS Sinkhole

 

owner: sbabu



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language