Palo Alto Networks- DNS Sinkhole

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi folks my name is Jeff talking ttyn and I'm a systems engineer for Palo Alto Networks today we're going to talk about DNS sink holing we'll talk about why we need to do DNS in Kolding how to configure it on the Palo Alto Networks next-generation firewall and finally how to test and verify that it's working properly okay let's take a look at the problem we're trying to solve in the lower left we have a user machine that's been infected by malware as part of the malware process this infected machine is trying to reach out to a command and control server which I've labeled attacker when the infected user does a DNS request it will be to the internal DNS server since this domain is not hosted locally the internal DNS server will forward the request to the external DNS server passing the request through the Palo Alto Networks firewall depending on policy will either be blocking or alerting on this resolution to a suspicious DNS domain but the logs won't give us the information we need you see the logs showed that the request came from the internal DNS server and will not show us the infected machine what we're going to do with the DNS sink holy is intercept that DNS request between the internal DNS server and the external DNS server and respond with an address of our own starting in panowitz version 7.1 palo alto networks began resolving suspicious DNS queries to the IP address 72 . 5.65 dot-111 it is a predefined Palo Alto Networks address that will live on our firewall and direct the infected user to the firewall to be blocked and logged appropriately let's go to the demonstration so you can see this in action ok so to get started with our demonstration for DNS sinkhole II I've pulled up our next-generation firewall and the first thing we're going to do is make sure that we have our licenses and our dynamic updates are good to go now with our licenses obviously we need to make sure we have a support license but the main thing we need to make sure of is that we have a threat prevention license and you can see that we do and it's still valid now our threat prevention subscription that license is what gives us a lot of the Content ID capability where we can do network based antivirus we could do our IPS signatures and in this case for DNS sync only we get our command and control or c2 signatures so that's valid let's move on to dynamic updates within dynamic updates we need to make sure we're getting the antivirus updates that antivirus update is what's going to give us those see to those domains that that we're going to be checking against if we look over here to the right something to take note of is that we can look at the release notes the reason I'm telling you this is if we click on the release notes what will happen is another tab will pop up will show you the release notes this will show you all of those c2 signatures that we will be putting into this particular release and will show us those domains that we consider to be suspicious so when we look to do our verification and testing this is a great resource for finding a domain name to use for testing in this case I'm going to use this one that I have highlighted here this cutsie X dot biz so we'll do our testing against that and make sure everything works as its supposed to okay so now that we've done that we'll move on to step two where we're going to configure DNS sinkhole protection inside our anti-spyware profile so let's go ahead and do that we'll jump over to the objects tab and under security profiles I'm going to click on anti spyware now we've got some default profiles of what I've done is created my own custom profile called alert all within that I'm primarily just alerting until I do my DNS signature portion so within DNS signatures I'm going to set my action to sinkhole and we've got the option there's a drop down here where we can do alert allow block or sinkhole obviously for sink holing will choose the sinkhole option beneath that what we'll do is select our sinkhole IP address the IP address that we're going to serve up as the dns resolution for suspicious DNS queries in this case there's this predefined IP address that I told you about this 72.5 that's 65.1 11 so we'll take note of that we also need to have an ipv6 address this is just going to be the loopback IP and that should be enough for us right there once we do that we can move on to step 3 where we apply this to the policy itself so let's go into our policies and where we need to apply this is where we're impacting traffic going out to the Internet do where we're impacting traffic that's doing this DNS resolution between the internal DNS server and the external DNS server in this case its policy number three might allow outbound so what I'm going to do is within here we're allowing the traffic but if you look at my profile settings we've changed our anti-spyware to that alert all profile that we just set up okay so that's all set the next thing we need to do is we need to create a rule to block that DNS sinkhole IP so that's 72.5 that's 65.1 11 once we resolve to that IP address what we want to do is block traffic going to that IP address and then log it so the only way to do that is to create a policy for it so what I've done is created this block DNS sinkhole policy this policy number one here and what we're doing is we're doing a deny based on traffic going to this predefined IP address that's sinkhole IP the 72.5 that's 65.1 11 something to take note of here is that we had to create this object now was predefined when we were creating it within the profile within the sinkhole IP with an ARP within our profile for anti-spyware but unfortunately for the security policy rule you will have to create this address object in order to make this work so create this object I went ahead and called it sinkhole 72.5 dot 65.1 11 so I know exactly what this is once we do Adonai on that also make sure you're logging that so that we get that within our our traffic logs next thing we're going to do is we're going to go to our windows 7 box and we're going to generate some traffic and we're going to make sure that we're sending something that we can we can check the logs against so on my windows 7 box what I've done is we're doing an IP config so you can see that the IP address is 192.168.1 47 for this machine the next thing I'm doing is an nslookup for that suspicious domain that cutsie X dot biz and you can see that we do a resolution and the IP address that we're getting is in fact that predefined IP address that's 72.5 that's 65 dot-111 ok so that's all working fine what we need to do now is check our monitor and make sure that we are seeing this traffic so we'll look at the traffic and what I want to do here is create a filter specifically for that destination IP address that's 72.5 that's 65 dot-111 I've done that now and what you can see is that we have IPS specifically this is my windows 7 IP at 192 168 45mm 147 going to the predefined dns sinkhole IP and being blocked by our rule the block dns sinkhole rule so now we're appropriately logging these connections from an infected host trying to reach out to a command-and-control server so immediately I know that this is an infected host one of the other things we can do is create custom reports around this and you'll see that what I've done is I've already created one here and let me show you how this is all set up but you can do this by going to manage custom reports under the monitor tab and here I created a report called sinkhole so if we look at that what I've done is I'm taking a look at the traffic log make sure that you're doing this if you want to see the the sinkhole IPS or what we've denied using the sinkhole address that's going to be in the traffic log the other thing we're going to do is we're going to do a query builder so I'm going to add a query specifically for this particular destination IP address so let's go in here destination address we'll set it to include and we'll put a value of 72.5 that's 65 dot-111 we'll select add and then we'll click on ok and then what we can do is we should be able to run this and you'll see that our address this is our windows 7 box and it's going to that sinkhole IP I've also done some NS lookups from our internal server our internal DNS server so you'll see that on here as well but since we know this is our internal DNS server we know we could ignore that the one we'll need to take a look at is this 192.168 45 dot 1 4 7 now the great part about this is now that I have a custom report I can simply export this to PDF or CSV or XML file I can send this over into a service now take it automatically if I want to we can e-mail this out to our help desk and send them out and they know for certain is that they have an infected machine that's trying to reach out to a command-and-control domain so very quickly here what we've done is we've created a way where we can see infected users trying to reach out to command and control servers we've created our dns sinkhole we've been able to create a deny rule that allows us to block that and log it appropriately we're able to see that in the traffic logs and finally we're able to create a custom report so we can go out and we can remediate these devices thanks for watching

Info

Channel: Jeff Talkington

Views: 25,813

Rating: undefined out of 5

Keywords:

Id: WWU_tt3YzZk

Channel Id: undefined

Length: 11min 42sec (702 seconds)

Published: Wed Jun 21 2017