See Infected Hosts that Attempted to Connect to a Malicious Domain
After you have configured DNS sinkholing and
verified that traffic to a malicious domain goes to the sinkhole
address, you should regularly monitor traffic to the sinkhole address,
so that you can track down the infected hosts and eliminate the
Use App Scope to identify infected client hosts.
along the top of the display page.
Select a time range.
The following screenshot shows three instances of Suspicious
DNS queries, which were generated when the test client host performed
an NSLOOKUP on a known malicious domain. Click the graph to see
more details about the event.
Configure a custom report to identify all client hosts
that have sent traffic to the sinkhole IP address, which is 10.15.0.20
in this example.
Forward to an SNMP manager, Syslog server
and/or Panorama to enable alerts on these events.
this example, the infected client host performed an NSLOOKUP to
a known malicious domain that is listed in the Palo Alto Networks
DNS Signature database. When this occurred, the query was sent to
the local DNS server, which then forwarded the request through the
firewall to an external DNS server. The firewall security policy with
the Anti-Spyware profile configured matched the query to the DNS
Signature database, which then forged the reply using the sinkhole
address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client
attempts to start a session and the traffic log records the activity
with the source host and the destination address, which is now directed
to the forged sinkhole address.
Viewing the traffic log on
the firewall allows you to identify any client host that is sending
traffic to the sinkhole address. In this example, the logs show
that the source address 192.168.2.10 sent the malicious DNS query.
The host can then be found and cleaned. Without the DNS sinkhole
option, the administrator would only see the local DNS server as
the system that performed the query and would not see the client
host that is infected. If you attempted to run a report on the threat
log using the action “Sinkhole”, the log would show the local DNS
server, not the infected host.
Manage Custom Reports
Define a custom report that captures traffic to the
sinkhole address as follows:
the report will run every night.
have User-ID configured), which will identify the infected client
host in the report, and
which will be the sinkhole address.
In the section at the bottom of the screen, create a custom
query for traffic to the sinkhole address (10.15.0.20 in this example).
You can either enter the destination address in the
addr.dst in 10.15.0.20
) or select
the following in each column and click
Connector = and, Attribute = Destination Address, Operator = in,
and Value = 10.15.0.20. Click
to run the report.
The report will show all client hosts that have sent traffic to
the sinkhole address, which indicates that they are most likely
infected. You can now track down the hosts and check them for spyware.