Identify Infected Hosts

After you have configured DNS sinkholing and verified that traffic to a malicious domain goes to the sinkhole address, you should regularly monitor traffic to the sinkhole address, so that you can track down the infected hosts and eliminate the threat.
  • Use App Scope to identify infected client hosts.
    1. Select MonitorApp Scope and select Threat Monitor.
    2. Click the Show spyware button along the top of the display page.
    3. Select a time range.
      The following screenshot shows three instances of Suspicious DNS queries, which were generated when the test client host performed an NSLOOKUP on a known malicious domain. Click the graph to see more details about the event.
      dns-sinkhole-report.png
  • Configure a custom report to identify all client hosts that have sent traffic to the sinkhole IP address, which is 10.15.0.20 in this example.
    Forward to an SNMP manager, Syslog server and/or Panorama to enable alerts on these events.
    In this example, the infected client host performed an NSLOOKUP to a known malicious domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred, the query was sent to the local DNS server, which then forwarded the request through the firewall to an external DNS server. The firewall security policy with the Anti-Spyware profile configured matched the query to the DNS Signature database, which then forged the reply using the sinkhole address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client attempts to start a session and the traffic log records the activity with the source host and the destination address, which is now directed to the forged sinkhole address.
    Viewing the traffic log on the firewall allows you to identify any client host that is sending traffic to the sinkhole address. In this example, the logs show that the source address 192.168.2.10 sent the malicious DNS query. The host can then be found and cleaned. Without the DNS sinkhole option, the administrator would only see the local DNS server as the system that performed the query and would not see the client host that is infected. If you attempted to run a report on the threat log using the action “Sinkhole”, the log would show the local DNS server, not the infected host.
    1. Select MonitorManage Custom Reports.
    2. Click Add and Name the report.
    3. Define a custom report that captures traffic to the sinkhole address as follows:
      • Database—Select Traffic Log.
      • Scheduled—Enable Scheduled and the report will run every night.
      • Time Frame—30 days
      • Selected Columns—Select Source address or Source User (if you have User-ID configured), which will identify the infected client host in the report, and Destination address, which will be the sinkhole address.
      • In the section at the bottom of the screen, create a custom query for traffic to the sinkhole address (10.15.0.20 in this example). You can either enter the destination address in the Query Builder window (addr.dst in 10.15.0.20) or select the following in each column and click Add: Connector = and, Attribute = Destination Address, Operator = in, and Value = 10.15.0.20. Click Add to add the query.
      dns-sinkhole-query.png
    4. Click Run Now to run the report. The report will show all client hosts that have sent traffic to the sinkhole address, which indicates that they are most likely infected. You can now track down the hosts and check them for spyware.
      dns-sinkhole-custom-report-output.png
    5. To view scheduled reports that have run, select MonitorReports.

Related Documentation