Now, If you look inside the threat logs -īack inside the WebGUI, select Monitor > Threat Logs. In a minute, you'll see how this is important for the traffic logs. The second part of this is to pretend that you are an infected host, open a web browser and try to visit the suspicious URL with the given IP - 1.1.1.1.Īccess to the site will not work, as that is a fake IP, which is OK. When we have the DNS Sinkhole configured properly, and someone resolves that domain, the fake DNS Sinkhole IP should resolve instead of the real domain's IP address.īy manually performing this lookup with a suspicious URL, you can now see firsthand that the DNS Sinkhole is working to provide the fake IP.
We know that the following domain is considered a 'Suspicious Domain.' Now, let's take a look at this from a client perspective. Inside the traffic logs, you'll see dropped traffic to 1.1.1.1. If you have configured your firewall properly, then you should be blocking all access, or at a minimum Service port 80 (http) or port 443 (HTTPS). The next step would be looking for the client attempting to access the DNS sinkhole IP 1.1.1.1.
Inside the threat logs, you should be able to see the client IP address as a source when the suspicious DNS request is made. In this example, 1.1.1.1 is being used as the fake DNS sinkhole IP. The firewall hijacks the DNS query and responds as the DNS server with the DNS sinkhole IP address to the client. When the client system is accessing a known malicious URL using an external DNS server, the DNS query goes from the client, through the Palo Alto Networks firewall, then to the external DNS server.
Note: The Palo Alto Networks firewall must be in the path of the DNS request to a suspicious URL and also in the same path the infected machine tries to access the DNS Sinkhole IP. If you are blocking access to this fake IP, then that is how we can determine which client is infected. The infected client gets your fake DNS answer and trys to reach its Command and Control server by making the http/https call to the Sinkhole IP.Ĥ. The firewall blocks this request and sends a fake IP to answer the DNS request.ģ. The suspicious DNS request is seen by the firewall.Ģ. Here is an overview about how the DNS Sinkhole protection works:ġ. I will be talking with you today about a client using an external DNS Server making a malicious DNS request.
#Opencanvas 1.1 networking tutorial how to#
Video Tutorial: How to Configure DNS Sinkholeįor a document about configuring DNS Sinkhole, please see: I have talked about how to configure DNS Sinkhole in a previous video: How to Verify DNS Sinkhole Function is Working If you would like to read about verifying both Internal and External DNS server with DNS Sinkhole, please see: Note: Also, we're assuming that you already have configured the DNS Sinkhole feature, and want to make sure it's working properly. This video helps verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall.įor simplicity, I'll be talking about verifying a client using an external DNS Server. My name is Joe Delio and I am a Solutions Engineer from the Palo Alto Networks Community team. This is a Palo Alto Networks Video Tutorial, How to Verify DNS Sinkhole. Video Tutorial Transcript: How to Verify DNS Sinkhole If you'd like to verify that the DNS Sinkhole function is working properly through a Palo Alto Networks firewall, you'll want to watch this video.
0 kommentar(er)
