We have a infected user and that user is trying to reach out to a command and control server, the infected user does a DNS lookup and since this domain is not hosted locally the internal DNS will pass the request through the Firewall to the external DNS server , the logs wont give all the information we need.
We are going to intercept the DNS traffic between the Internal and External DNS server and respond with a DNS server of our own. Palo Alto send these DNS requests from the infected machines to 220.127.116.11 , which is a Palo Alto assigned address, that will force the traffic to the Firewall to be blocked and logged appropriately.
You do need a Threat Prevention License.
The antivirus release notes will list all the domains that Palo Alto deem to be suspicious.
This is only needed for traffic going to the internet.
How to Configure DNS Sinkhole
Make sure the latest Anti-Virus updates are installed. Device > Dynamic Updates > Click “Check Now”
Configure DNS Sinkhole in the Security Profile Anti-Spyware . Objects > Anti-Spyware under Security Profiles.
Create a New Anti-Spyware Profile or Use an existing one.
Change Action to “sinkhole”
Set Sinkhole IPv4 to the address mentioned above 18.104.22.168
Set Sinkhole IPv6 to the address mentioned above ::1
You then have to apply this security profile to your outbound internet Security Policy/Rule. Select the Rule > Actions > Choose Anti-Spyware Profile
If you want to log who is hitting the sinkhole address you will need to create a deny rule.
Commit the Config