Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4187
Views
5
Helpful
2
Replies

DNS Sinkhole functionality

ChiefSec-SF
Level 1
Level 1

‎11-10-2016 07:00 AM - edited ‎03-12-2019 06:11 AM

I am trying to get the Sinkhole feature working, using this page as a guide:

http://www.packetu.com/2016/07/05/firepower-threat-defense-dns-sinkholing/

I set the Sinkhole object address as a valid but unused address in our DMZ. I have had no issues following the instructions, the DNS policy is associated with the Access Protection policy and when I test it the results are not what would be expected...

The detections do show up in the Security Intelligence category but the traffic is logged with the internal DNS server is listed as the source instead of the originating client. (which is the problem sinkholing is supposed to help solve)

From the client side, when I do an nslookup command for the Test domain configured, The client just recieves a "server failed" error. I expect to see my sinkhole address returned as the response IP for the test domain and that is not happening.

Has anyone else run into this before? 

**Update

I confirmed that if I change the client DNS server setting to query a public DNS server directly, the sinkhole IP is returned correctly. So there appears to be different behavior when the query is recursive from a Internal DNS server. I suspect there are not very many environments where setting all the clients to use public DNS servers would be practical, so there must be a solution.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎12-03-2016 04:02 AM

Hello,

I have the same problem. Did you find any solution for this issue?.

Thanks

Shabeeb

0 Helpful

ChiefSec-SF
Level 1
Level 1

‎02-10-2017 07:38 AM

For anyone else having this issue, I was able to work with support to resolve the problem.

There is a documented bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb99851/?reffering_site=dumpcr

Apparently the use of DNS extensions breaks the Sinkhole feature. 

Link on how to disable the extensions for MS DNS servers:

https://support.microsoft.com/en-us/help/832223/some-dns-name-queries-are-unsuccessful-after-you-deploy-a-windows-based-dns-server

(Applies to Server 2008 and above)

Disabling these extensions fixed the problem for us.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card