Security Connector as a DNS sinkhole
- are infected with malware
- attempt to download malware
- make requests to command and control servers
Security Connector records information about the machine that made the request such as the machine name and internal IP address of the end user's machine. This information allows you or an IT administrator to identify compromised machines in your network and take the appropriate remediation steps.
- Internal IP address
- Machine name
- Source port
- Destination port
- Hostname in an HTTP request or in the TLS Server Name Identification (SNI) field
- User agent from an HTTP request
- Block is the policy action selected for a category or custom list.
- Error Page is set as the response to users.
After setting the Error Page response, you can then select a specific Security Connector.
Depending on whether ETP Proxy is enabled in the policy, different network flows apply. For more information, see Network flow of DNS sinkhole.
The information and events that are captured by the security connector are available for analysis in ETP. ETP correlates Security Connector event data with threat event data. You can view this data on the Security Connector activity report.
- As a performance optimization, many browsers may prefetch the DNS names in all links on a webpage. Although not all these links are accessed by a user, the prefetched resolutions generate DNS events in ETP. If a user accesses any of these links, correlated security connector events and the user’s internal IP address are also reported.
- Not all malicious DNS traffic originating from a user will have a corresponding Security Connector event. DNS resolutions may be cached on the user's computer and Enterprise DNS Resolvers. As a result, there may be situations when traffic is resolved by these cached responses and no new DNS event is generated.