Use DNS Queries to Identify Infected Hosts on the Network
Where Can I Use
What Do I Need?
Threat Prevention or Threat Prevention License
The DNS sinkhole action in Anti-Spyware profiles enables the
firewall to forge a response to a DNS query for a known malicious
domain or to a custom domain, so that you can identify hosts on
your network that have been infected with malware. A compromised
host might initiate communication with a command-and-control (C2) server—once
the connection is made, an attacker can remotely control the infected
host, in order to further infiltrate the network or exfiltrate data.
DNS queries to any domain included in the Palo Alto Networks
DNS signatures list is sinkholed to a Palo Alto Networks server
The firewall has two sources of DNS signatures that it can use
to identify malicious and C2 domains:
(Requires an Advanced | Threat Prevention subscription)
Local DNS signatures—This is a limited, on-box set of DNS signatures
that the firewall can use to identify malicious domains. The firewall
gets new DNS signatures as part of daily antivirus updates.
(Requires a DNS Security subscription) DNS Security signatures—The
firewall accesses the Palo Alto Networks DNS Security cloud service
to check for malicious domains against the complete database of
DNS signatures. Certain signatures—that only DNS Security provides—can
uniquely detect C2 attacks that use machine learning techniques,
like domain generation algorithms (DGAs) and DNS tunneling. For
more information about the DNS Security subscription, refer to the DNS
DNS queries to domains in the local DNS signature set or the
DNS Security signature set are redirected to a Palo Alto Networks
server, and the host is unable to access the malicious domain. The
following topics provide details on how to enable DNS sinkholing
so that you can identify infected hosts.