Thank you for this video. However, this implies hosts are accessing Internet directly. How can we achieve this (tagging compromised hosts and taking actions) when users access Internet through a proxy server ? Could we play with the xff header somehow ?
Connection request (usually after dns resolution is done )from client to malware sites will be blocked .If dns request is blocked then whole purpose of using dns sinkhole at firewall will defeated .it is basically used to know the infected client ip or name so that virus or bot can be removed from infected system by antivirus administrator.
@@DeepakKumar-ov8ko Nope, he's right. You first rule would basically deny all dns requests coming from the internal DNS Server, thus preventing all users from accessing internet.
@@giovalleyk if it blocks the whole dns request from internal server , it will be a kind of outage situation and whole purpose of detecting infected system is defeated.
