DNS Sink Holing to identify infected hosts

Question

Are there any plans for Sophos XG to implement DNS sinkholing where malicious DNS requests are resolved to a "Black Holed" IP address and once a host tries to communicate with this IP address, we can identify the infected host. This would save a hugh amount of time examining DNS server logs for the source of malicious DNS requests. Palo Alto have this: 
 
 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing#idbb4e9a0f-06f1-41eb-98d5-91f4d985b1b7

emmosophos · Answer

Hello there, 
 The current two ways the Sophos Firewall protects against DNS-Level threats are the following:

Use Sanctioned DNS server:

Redirect all DNS requests to a specific/ sanctioned DNS server. It can be done by creating a NAT rule. Example below.

If we create a NAT rule for DNS service, we can stop if the laptop/endpoint in your network is using its own DNS server. ​However, the laptop's local host file entry modification can't be stopped with that. 
 Having said that, intercept X does a pretty good job of protecting against local poisoning of host files, etc. Also, ATP helps a bit by blocking access to IPs known to be associated with malware attacks.

Pharming protection &ndash; how DNS service of XG is doing pharming protection:

Pharming protection works by intercepting a TLS or a HTTP connection; and looking for the hostname that the user is trying to connect to. For TLS this is in the Client Hello packet, and for HTTP it is in the host header of the HTTP request. 
 When pharming protection is turned off, the proxy ignores this and just connects upstream on the same destination IP that the client was trying to connect to. 
 If pharming protection is on, XG will do its own DNS lookup using the DNS server configured on XG . 
 Example : If the hosts file has an entry for www.google.com that points to 199.199.199.199, the client will make the outbound TCP connection to 199.199.199.199. The proxy intercepts that connection and pretends to be the web server, so the client sends the TLS client hello or the HTTP request. If Pharming Protection is off, the proxy just connects to 199.199.199.199 and passes the request on to the that server, which could be bad. But the proxy can see that the client hello or HTTP request has the hostname www.google.com . So if pharming protection is on, proxy will do its own DNS lookup using the DNS server configured on XG. If that responds with 101.101.101.101, then the proxy will connect upstream to 101.101.101.101 instead of 199.199.199.199. 
 
 In resume, ATP will log the source of the request, if the Firewall is seeing all their requests directly from the end-user. (using the Firewall as a resolver) then the ATP logs would show you what you will get from a sinkhole log (List of IPs that have queried malicious domains). 
 However, if the Firewall isn&rsquo;t the DNS resolver for the endpoints, as the requests come from an internal DNS, then the ATP logs would be a bit less useful as everything will be logged as the source of the DNS server. 
 If this is your case, then you should consider whether you can rearrange your network and DNS server setup to ensure that the Firewall sees the DNS traffic firsthand coming from the endpoints. 
 But yes, your sinkhole, would be a Feature Request, as of now, 
 That would be feature request as of now. 
 To submit your idea, reach out to your Sophos Partner, Sales Representative, or Sales Engineer, so they can enter the information directly into the Feature Request system. 
 Additionally, you can use the in-product feedback in the Sophos Firewall located in the Top Menu bar. 
 Regards,