DNS query does not resolve to the sinkhole IP from PAN-OS 9.0 onward
41966
Created On 03/10/20 04:06 AM - Last Modified 04/18/20 02:01 AM
Symptom
1. Before PAN-OS 9.0, performing a DNS query to a malicious domain that matches Palo Alto Networks DNS signature will resolve to the sinkhole IP address: 75.5.65.111.
2. Before PAN-OS 9.0, ping to a malicious domain that matches Palo Alto Networks DNS signature which resolves to 75.5.65.111 works fine.
3. From PAN-OS 9.0 onward performing a DNS query to a malicious domain that matches Palo Alto Networks DNS signature or DNS Security service does not resolve to sinkhole IP addresses.
4. Ping to a malicious domain that matches Palo Alto Networks DNS signature fails with unknown host error.
Environment
- Using a client nslookup tool for windows system or dig tool for Unix based system to perform DNS query for domain matching Palo Alto Networks DNS signature
- PAN-OS 9.0 and above
- Palo Alto Firewall.
Cause
The Palo Alto Networks default sinkhole IP addresses will be changed to CNAME records from PAN-OS 9.0 onward. Canonical name records aka CNAME, they act as aliases, pointing to another DNS name instead of IP.
- When a DNS lookup to a malicious domain is performed, this CNAME will be returned instead of an A or AAAA record
- Security and IR teams can investigate any clients requesting resolution of these domains
Default CNAME record is sinkhole.paloaltonetworks.com and this can be updated via content update.
Before PAN-OS 9.0:
PAN-OS 9.0 and above:
Resolution
For Windows systems performing NSLOOKUP:
1. Launch Windows Command Prompt by navigating to Start > Command Prompt or via Run > CMD.
2. Type NSLOOKUP and hit Enter. The default Server is set to your local DNS, the Address will be your local IP.
3. Set the DNS Record type you wish to lookup by typing set type=## where ## is the record type, then hit Enter. The default resource record type is A hence this is the reason why we are not getting an answer as shown earlier. In this case, we will be using CNAME record type instead of resolution.
4. Now enter the malicious domain name you wish to query then hit Enter. Same applies to the test domains listed in the documentation.
5. NSLOOKUP will now return the CNAME record sinkhole.paloaltonetworks.com
6. Depending on the host/application/infected host behavior, a second DNS lookup may be performed to get the IP address for CNAME record sinkhole.paloaltonetworks.com.
7. You should expect a response when pinging to sinkhole.paloaltonetworks.com
or
Using Linux Dig (Domain Information Groper) is a command-line tool for querying DNS name servers. The dig command, allows you to query information about various DNS records, including host addresses, mail exchanges, and name servers. It is the most commonly used tool among system administrators for troubleshooting DNS problems because of its flexibility and ease of use.
Additional Information
Whenever a DNS lookup occurs that matches active Palo Alto Networks DNS signature, a corresponding spyware type event will be generated in Threat log.
External reference on DNS resolution process for CNAME Records can be found here.