Use DNS Queries to Identify Infected Hosts on the Network
The DNS sinkhole action in Anti-Spyware profiles enables
the firewall to forge a response to a DNS query for a known malicious
domain or to a custom domain, so that you can identify hosts on
your network that have been infected with malware. A compromised
host might initiate communication with a command-and-control (C2)
server—once the connection is made, an attacker can remotely control
the infected host, in order to further infiltrate the network or
exfiltrate data.
DNS queries to any domain included in the Palo Alto Networks
DNS signatures list is sinkholed to a Palo Alto Networks server
IP address.
The firewall has two sources of DNS signatures that it can use
to identify malicious and C2 domains:
DNS queries to domains in the local DNS signature set or the
DNS Security signature set are redirected to a Palo Alto Networks
server, and the host is unable to access the malicious domain. The
following topics provide details on how to enable DNS sinkholing
so that you can identify infected hosts.