Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
5
Helpful
6
Replies

Sinkholing server regarding ASA firepower services

crux_jha1
Level 1
Level 1

‎06-08-2016 05:46 AM - edited ‎03-12-2019 12:51 AM

I run ASA with firepower services at multiple clients and have been wordeing about the new DNS sinkholing feature. My main goal would be to get insight on what IPs are generating the DNS querys for bad domains (right now i only see the internal recursive DNS server as the source). Does the Sinkhole IP has to be a server that actually respond to querys or can i just use a unused IP in my public IP range?

BR

Josef

2 people had this problem
Labels:
0 Helpful
6 Replies 6

ankojha
Level 3
Level 3

‎06-09-2016 06:40 AM

Hi Josef,

For sinkholing , you can have unused ip in any public range as we are basically detecting bad DNS queries in the first place without waiting for actual response.

Rate if it helps.

Thanks,

Ankita

crux_jha1
Level 1
Level 1
In response to ankojha

‎06-09-2016 06:48 AM

Thanks!

Do FMC report on what clients try to communicate with the sinkhole IP besides in the connection events? Will there be a SI/Malware/IPS event generated?

BR

Josef

0 Helpful

ChiefSec-SF
Level 1
Level 1

‎11-10-2016 11:39 AM

Have you made any progress on this? I also set this up within Sourcefire but the Sinkhole IP address is only returned for direct queries and recursive queries return just a server failed message. If you have found a resolution, please post. Thanks.

0 Helpful

crux_jha1
Level 1
Level 1
In response to ChiefSec-SF

‎12-04-2016 11:47 PM

I havn't had the time to set this up, so no.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎12-03-2016 04:11 AM

Hello,

Did you find any solution for this issue?. I have the same problem.

Thanks

Shabeeb

0 Helpful

ChiefSec-SF
Level 1
Level 1

‎02-10-2017 07:43 AM

There is a documented bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb99851/?reffering_site=dumpcr

Apparently the use of DNS extensions breaks the Sinkhole feature. 

Link on how to disable the extensions for MS DNS servers:

https://support.microsoft.com/en-us/help/832223/some-dns-name-queries-are-unsuccessful-after-you-deploy-a-windows-based-dns-server

(Applies to Server 2008 and above)

After disabling this the Sinkholing feature started working correctly by responding to the recursive queries from our internal DCs. However the SI events still only show the DC as the source of the query. You will need to look in connection events for the attempted network connections to the Sinkhole IP in order to identify the actual source of the original query. Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card