Guide
TrainingSupportCommunity

Security Connector as a DNS sinkhole

Suggest Edits

When Security Connector is set up as a DNS sinkhole, it receives suspicious or malicious traffic and identifies machines that:

  • Are infected with malware
  • Attempt to download malware
  • Make requests to command and control servers

Security Connector records information about the machine that made the request such as the machine name and internal IP address of the end user's machine. This information allows you or an IT administrator to identify compromised machines in your network and take the appropriate remediation steps.

Security Connector captures information sent by the client machine. This information includes:

  • Internal IP address
  • Machine name (internal client name)
  • Source port
  • Destination port
  • Hostname in an HTTP request or in the TLS Server Name Identification (SNI) field
  • User agent from an HTTP request

📘

The machine name is reported only if DNS Pointer (PTR) records are configured on the DNS name server that is used to communicate with the security connector. ​SIA​ performs a reverse IP address lookup to identify this information.

Traffic is directed to Security Connector based on the policy configuration in ​SIA​. In a policy, you can assign Security Connector to a threat category or a list. A security connector is available for assignment when:

  1. Block is the policy action selected for a category or custom list.

  2. Error Page is set as the response to users.

After setting the Error Page response, you can then select a specific Security Connector.

👍

As a best practice, assign a security connector to the malware and C&C categories. A C&C threat indicates that a user's machine is already compromised by the time it's detected. To clean compromised machines, you can use Security Connector to identify infected machines and get the information you need for remediation.

Depending on whether ​SIA​ Proxy is enabled in the policy, different network flows apply. For more information, see Network flow of DNS sinkhole.

The information and events that are captured by the security connector are available for analysis in ​SIA​. ​SIA​ correlates Security Connector event data with threat event data. You can view this data on the Security Connector activity report.

If the proxy is disabled, these conditions apply:

  • As a performance optimization, many browsers may prefetch the DNS names in all links on a webpage. Although not all these links are accessed by a user, the prefetched resolutions generate DNS events in ​SIA​. If a user accesses any of these links, correlated security connector events and the user's internal IP address are also reported.

  • Not all malicious DNS traffic originating from a user will have a corresponding Security Connector event. DNS resolutions may be cached on the user's computer and Enterprise DNS Resolvers. As a result, there may be situations when traffic is resolved by these cached responses and no new DNS event is generated.

Network flow of DNS sinkhole

Depending on whether ​SIA​ Proxy is enabled or disabled, these network flows apply:

Network flow when ​SIA​ Proxy is enabled

  1. The end user requests a URL, and the first DNS resolution occurs:

    1. The browser makes a DNS request. The corporate network egress IP address is associated with a location configuration in ​SIA​. As a result, the policy assigned to that location is applied.

    2. ​SIA​ identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of ​SIA​ Proxy.

  2. These steps apply to HTTP traffic:

    1. The browser sends the HTTP or HTTPS request to ​SIA​ Proxy. The corporate network egress IP address is associated with a location configuration in ​SIA​. As a result, the policy assigned to that location is applied.

    2. ​SIA​ identifies the HTTP resource as malicious. Based on a policy configuration, the client is redirected to the security connector on the corporate network.

  3. Malicious HTTP and HTTPS requests that were directed to the proxy are redirected to Security Connector. The end user's machine sends a request to Security Connector.

    📘

    HTTP and HTTPS traffic is redirected to Security Connector 2.5.0 or later.

  4. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is redirected to the custom error page that corresponds to the threat type or category. For more information on error pages, see the Error pages help topic.

  5. Security Connector sends the internal IP address and other collected machine information to ​SIA​. ​SIA​ Proxy and ​SIA​ DNS also sends information to ​SIA​ reporting. ​SIA​ reporting correlates data and shows the internal IP address and machine name in each threat event.

Network flow when ​SIA​ Proxy is disabled

  1. For a DNS request:

    1. An end user makes a DNS request. The corporate network egress IP address is associated with a location configuration in ​SIA​. As a result, the policy assigned to that location is applied.

    2. ​SIA​ identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of the security connector on the corporate network.

  2. The end user's machine sends a network request to Security Connector.

  3. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is shown the Website Access is Prohibited custom error page. For more information on error pages, see the Error pages help topic.

  4. Security Connector sends the internal IP address and other collected machine information to ​SIA​ reporting. ​SIA​ DNS also sends information to ​SIA​ reporting where data correlation occurs. ​SIA​ reports show the internal IP address and machine name in each threat event.

Updated over 2 years ago