If you review your firewall logs on a regular basis, you may notice that you have a number of suspicious DNS requests to legitimate or well-known external DNS servers. The cause of this could be a number of things; such as an advanced persistent threat, command and control, or spyware calling home.
Because of the nature of DNS being a UDP connection, there is no acknowledgment sent back to the sender in the session and it can be easily intercepted. By investigating the alerts in firewall logs, we’ve seen many situations where customers have asked us to help mitigate this from happening and asking for advice on how to handle these events.
One of the main ways to address this is to implement a DNS sinkhole on the Next-Generation Firewall. DNS sinkholing is used to provide wrong DNS resolution and alternate the path of the users to different resources instead of the malicious or non-accessible content. A sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by security analysts. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.
To configure a DNS sinkhole, create a clone of the anti-spyware profile and in the cloned profile, add the IP address that would be used to send suspicious DNS requests to the sinkhole. From here, add that profile to the security policy that permitted outbound DNS requests and then configure a policy so no internal hosts would be able to browse or send requests to the IP address used for sinkhole.
It’s important to have security monitoring in place to make sure you catch this type of suspicious behavior! Monitoring your security devices adds another layer of protection between you and cyber attackers.