Focus

Use DNS Queries to Identify Infected Hosts on the Network

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

DNS Security Data Collection and Logging

How DNS Sinkholing Works

Use DNS Queries to Identify Infected Hosts on the Network

The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to a DNS query for a known malicious domain or to a custom domain, so that you can identify hosts on your network that have been infected with malware. A compromised host might initiate communication with a command-and-control (C2) server—once the connection is made, an attacker can remotely control the infected host, in order to further infiltrate the network or exfiltrate data.

DNS queries to any domain included in the Palo Alto Networks DNS signatures list is sinkholed to a Palo Alto Networks server IP address.

The firewall has two sources of DNS signatures that it can use to identify malicious and C2 domains:

(Requires Threat Prevention) Local DNS signatures—This is a limited, on-box set of DNS signatures that the firewall can use to identify malicious domains. The firewall gets new DNS signatures as part of daily antivirus updates.
(Requires DNS Security) DNS Security signatures—The firewall accesses the Palo Alto Networks DNS Security cloud service to check for malicious domains against the complete database of DNS signatures. Certain signatures—that only DNS Security provides—can uniquely detect C2 attacks that use machine learning techniques, like domain generation algorithms (DGAs) and DNS tunneling.

DNS queries to domains in the local DNS signature set or the DNS Security signature set are redirected to a Palo Alto Networks server, and the host is unable to access the malicious domain. The following topics provide details on how to enable DNS sinkholing so that you can identify infected hosts.

DNS Security Data Collection and Logging

How DNS Sinkholing Works

Next-Generation Firewall Docs

Use DNS Queries to Identify Infected Hosts on the Network

Next-Generation Firewall Docs

Use DNS Queries to Identify Infected Hosts on the Network

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner