Tuesday, May 17, 2016

Enabling DNS Sinkhole on a Palo Alto Networks Firewall

Have you ever looked at your threat logs and seen tons of spyware hits from your DNS servers? For example in this case where 172.17.1.11 is my internal DNS server.
My DNS server can't possibly be compromised (I hope), why is this? When you step back and think, it makes perfect sense. My firewall doesn't see the original request that a client makes, because it goes to my local DNS server which sits below the firewall. So when the DNS server recurses out to the internet, the firewall catches the bad domain but the problem is it can only pick up on the fact that the request has come from the DNS server.

There has to be a better way! Not to worry, as usual the boys from Palo Alto, CA have the answer. They call it "DNS Sinkhole." In essence you trick the compromised host into resolving a bad domain to an IP north of the firewall. Now when the compromised host attempts to reach the bad domain, the firewall is able to capture the actual source. Think of a classic 80's detective TV show in which the good guys trick the crook into walking right into their dragnet.

So how does it work on a technical level? The DNS Sinkhole feature is a part of an Anti-spyware profile. When enabled, if the firewall sees a DNS request come through for a domain which matches a malicious signature, the firewall intercepts and responds to the request. Remember that this request may have come from an internal DNS server, but this does not matter because the DNS server will treat the response from the firewall as if it were a normal response from a root server and pass back to the requesting host.

Without this feature enabled, the firewall would simply drop the packets and the request would timeout (provided you have an anti-spyware profile configured this way). When using DNS Sinkhole, the host receives a valid response, forged by the firewall. You will be asked to provide an address to use as the A record for such requests. Now this is important, this address must route through the firewall. That is to say, the address you choose to use, must live north of the firewall, such that when the compromised host tries to get to the address, that traffic traverses the firewall. Of course you also want to pick an address which is not already in use.

To configure DNS Sinkhole, go to your Anti-spyware profile. Pro tip: you will not be able to change any settings in the "default" and "strict" profiles provided by Palo Alto Networks; you must either clone them or create a new one. From there go to the DNS Signatures tab. Change the Action to sinkhole and provide a v4 and v6 address to use as the sinkhole. Optionally you may enable packet captures on sinkhole hits. Passive DNS Monitoring anonymously sends DNS information to Palo Alto Networks for threat research. Don't forget to use this profile in your security policies!
Now that we have made our change and committed, we can go look at the threat log again.
Notice that the action has changed from drop-all-packets to sinkhole. This tells us we can find the actual source address in the traffic log. All we have to do now is search in the traffic log for the sinkhole address we configured earlier. You could also spice things up by putting in a deny rule on this destination.
We can now see that the compromised host on my network is actually 172.19.1.21. Release the dogs!