Configure DNS Sinkholing

Where Can I Use This?
What Do I Need?
  • NGFW
  • Advanced Threat Prevention or Threat Prevention License
To enable DNS sinkholing, attach the default Anti-Spyware profile to a firewall security policy rule (see Set Up Antivirus, Anti-Spyware, and Vulnerability Protection). DNS queries to any domain included in the Palo Alto Networks DNS signature source that you specify are resolved to the default Palo Alto Networks sinkhole IP address. The IP addresses currently are IPv4— and a loopback address IPv6 address—::1. These address are subject to change and can be updated with content updates.
  1. Enable DNS sinkholing for the custom list of domains in an external dynamic list.
    1. Select
      Security Profiles
    2. Modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name
      the profile and select the
      DNS Policies
    4. Verify that
      is present in the
      Signature Source
    5. (
      ) In the
      Packet Capture
      drop-down, select
      to capture the first packet of the session or
      to set between 1-50 packets. You can then use the packet captures for further analysis.
  2. Verify the sinkholing settings on the Anti-Spyware profile.
    1. On the
      DNS Policies
      tab, verify that the
      Policy Action
      on DNS queries is
    2. In the DNS Sinkhole Settings section, verify that
      is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
      If you want to modify the
      Sinkhole IPv4
      Sinkhole IPv6
      address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    3. Click
      to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select
      and select a security policy rule.
    2. On the
      tab, select the
      Log at Session Start
      check box to enable logging.
    3. In the Profile Setting section, click the
      Profile Type
      drop-down to view all
      . From the
      drop-down and select the new profile.
    4. Click
      to save the policy rule.
  4. Test that the policy action is enforced by monitoring the activity on the firewall.
    1. Select
      and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
    2. Select
      and filter by
      (action eq sinkhole)
      to view logs on sinkholed domains.

Recommended For You