Security Connector as a DNS sinkhole

When Security Connector is set up as a DNS sinkhole, it receives suspicious or malicious traffic and identifies machines that:
  • are infected with malware
  • attempt to download malware
  • make requests to command and control servers

Security Connector records information about the machine that made the request such as the machine name and internal IP address of the end user's machine. This information allows you or an IT administrator to identify compromised machines in your network and take the appropriate remediation steps.

Security Connector captures information sent by the client machine. This information includes:
  • Internal IP address
  • Machine name (internal client name)
  • Source port
  • Destination port
  • Hostname in an HTTP request or in the TLS Server Name Identification (SNI) field
  • User agent from an HTTP request
Note: The machine name is reported only if DNS Pointer (PTR) records are configured on the DNS name server that is used to communicate with the security connector. ETP performs a reverse IP address lookup to identify this information.
Traffic is directed to Security Connector based on the policy configuration in Enterprise Threat Protector (ETP). In a policy, you can assign Security Connector to a threat category or a list. A security connector is available for assignment when:
  1. Block is the policy action selected for a category or custom list.
  2. Error Page is set as the response to users.

After setting the Error Page response, you can then select a specific Security Connector.

Tip: As a best practice, assign a security connector to the malware and command and control (C&C) categories. A C&C threat indicates that a user’s machine is already compromised by the time it’s detected. To clean compromised machines, you can use Security Connector to identify infected machines and get the information you need for remediation.

Depending on whether ETP Proxy is enabled in the policy, different network flows apply. For more information, see Network flow of DNS sinkhole.

The information and events that are captured by the security connector are available for analysis in ETP. ETP correlates Security Connector event data with threat event data. You can view this data on the Security Connector activity report.

If the proxy is disabled, these conditions apply:
  • As a performance optimization, many browsers may prefetch the DNS names in all links on a webpage. Although not all these links are accessed by a user, the prefetched resolutions generate DNS events in ETP. If a user accesses any of these links, correlated security connector events and the user’s internal IP address are also reported.
  • Not all malicious DNS traffic originating from a user will have a corresponding Security Connector event. DNS resolutions may be cached on the user's computer and Enterprise DNS Resolvers. As a result, there may be situations when traffic is resolved by these cached responses and no new DNS event is generated.
For more information on event correlation, see the ETP online help.