原文與出處
DNS
Sinkholing
The DNS sinkhole action that you can enable in Anti-Spyware
profiles enables the firewall to forge a
response to a DNS query for a known malicious domain, causing the malicious
domain name to resolve to an IP address that you define. This feature can be
used to identify infected hosts on the protected network using DNS traffic in
situations where the firewall cannot see the infected client's DNS query (that
is, the firewall cannot see the originator of the DNS query). In a typical
deployment where the firewall is north of the local DNS server, the threat log
will identify the local DNS resolver as the source of the traffic rather than
the actual infected host. Sinkholing malware DNS queries solves this visibility
problem by forging responses to the client host queries directed at malicious
domains, so that clients attempting to connect to malicious domains (for
command-and- control, for example) will instead attempt to connect to a
sinkhole IP address that you define. Infected hosts can then be easily
identified in the traffic logs because any hosts that attempt to connect to the
sinkhole IP address are most likely infected with malware.
DNS
Sinkhole Workflow
The
following illustration shows an example of how to identify client hosts that
are attempting to communicate with known malicious domains:
