Understanding DNS Sinkholing for Palo Alto Networks- Concept, Configuration, and Testing Disclaimer- While I am a Palo Alto Networks employee, my statements and opinions are mine alone.
what if i am limiting my enterprise to access my internal dns only for upstream and downstream resolutions. in that case, my traffic log does show that hosts are being sinkholed. But in the Threat log, only the DNS server show up as the ones requesting dns queries to be sinkholed. Given that my DNS Server and my Users are within a zone.
Thanks for posting this video. Jeff, is there a chance to get the report for what malicious domain or url the host trying to connect?? or is it only host IP displayed in sinkhole concept
don't you need the dns security license along with threat prevention? Has this requirement recently changed? I updated to 10.x.x.x and now i get a warning every commit saying "Warning: No Valid DNS Security License"
Is the external DNS the suspicious one that makes the firewall alert or is it the domain you are requesting? Also why don't you just block that domain using URL filtering when the infected machine tries to connect to it after the DNS resolution or just deny traffic to that IP ? I don't understand the advantage of using DNS sinkhole instead of that