Tutorial: Auto-tagging & DNS Sinkhole

Nice. Thanks for that comment! I specifically went down to the comments to see if anyone noticed this issue. I was wondering why you didn't add the quarantine log forwarding profile to a rule blocking traffic to the synchole address rather than the allow traffic rule. And it totally makes sense changing the log filter match to just match traffic going to the synchole destination address. Thanks for the great video!

Hi, not sure if I get this right. Basically what's you saying is that the log type should be Traffic instead of threat under Log Forwarding Profile Match list, keep the filter - Action eq sinkhole and under Built in action use Destination address as a Target ? 🙄

this video was *SMOKE & MIRRORS...*
all he's doing is Quaratining his DNS server.
FAIL
FAIL
FAIL
Was anyone able to TWEAK the *Log-Forward Profile* to target the SINKHOLE address (instead of 'action eq sinkhole')
?

@@HughJass-jv2lt You people don't understand how the sinkhole actually works. The DNS server isn't ever attempting to go to the malicious website. It's ONLY attempting to go the an external name server. The firewall sees the query to an external name server requesting resolution for a domain the firewall recognizes as malicious and responds to the internal name server with a sinkhole IP address set up by the firewall administrator.
The ONLY IP address that will EVER get sinkholed is the source IP address that is attempting to connect to the IP address of the sinkhole. Since the internal name server never attempted to reach out to any other server other than the external name server, the internal name server will NEVER attempt to connect to the sinkhole IP address.
This will NOT quarantine the DNS server because the DNS server never tried to connect to the malicious site. This isn't how DNS works at all! lmao.

The internal DNS server is never attempting to connect to the malicious site. It's attempting to reach out to an external name server. The only time anything will ever hit the sinkhole is when a device attempts to reach out to the sinkhole IP address, which the name server would never attempt to do.
The internal DNS server could attempt to query the external name server 1000 times and it would never get quarantined because the internal DNS server is never going to attempt to connect the to malicious site. The firewall is ONLY looking for an attempted connection the the sinkhole IP address, which only the client would be attempting to reach out to because of the query results the internal DNS server gave it.
An internal name server doesn't connect to the requested sites on behalf of the client. That's not how DNS works and it's not how the sinkhole feature works either.
Now, you could end up quarantining your Web Proxy servers depending on how your network is designed, but name resolution isn't ever what's going to get you sinkholed. It's the actual reaching out to the sinkhole IP address that gets you quarantined.

Glad it was helpful!
As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there:
live.paloaltonetworks.com

Remember that if you are accessing a website with https, I believe that you'll need to enable ssl forward proxy decryption in order to get the response page.

@@linuxbowling Exactly! SSL Decryption is needed for the override page to be displayed if the site is tls encrypted.

You can edit, google HTML to word

this video was *SMOKE & MIRRORS...*
8:50
all he's doing is Quaratining his DNS server.
FAIL
FAIL
FAIL
:\

Okay...
upon further review:
17:00
It's *STEP #3* that needs to be rewritten....
_somehow set the LOGIC to target Destination-ipaddress EQUALS ipaddress-of-sinkhole_
^assuming this is possible....
then That would do it.
This would be a viable solution.

Hi! you can manually clear a tag by using this command: clear auto-tag vsys ip tag-dest tags [ ... ]