Advanced Threat Prevention Administration
  • Advanced Threat Prevention Administration
  • Advanced Threat Prevention Powered by Precision AI® Documentation
  • All Documentation
>
Configure DNS Sinkholing
Focus
Download PDF
Focus
  1. Home
  2. Advanced Threat Prevention Powered by Precision AI®
  3. Configure Threat Prevention
  4. Use DNS Queries to Identify Infected Hosts on the Network
  5. Configure DNS Sinkholing
Download PDF
Advanced Threat Prevention Powered by Precision AI®

Configure DNS Sinkholing

Table of Contents

Configure DNS Sinkholing

Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License
To enable DNS sinkholing, attach the default Anti-Spyware profile to a firewall security policy rule (see Set Up Antivirus, Anti-Spyware, and Vulnerability Protection). DNS queries to any domain included in the Palo Alto Networks DNS signature source that you specify are resolved to the default Palo Alto Networks sinkhole IP address. The IP addresses currently are IPv4—sinkhole.paloaltonetworks.com and a loopback address IPv6 address—::1. These address are subject to change and can be updated with content updates.
  1. Enable DNS sinkholing for the custom list of domains in an external dynamic list.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name the profile and select the DNS Policies tab.
    4. Verify that default-paloalto-dns is present in the Signature Source.
    5. (Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
  2. Verify the sinkholing settings on the Anti-Spyware profile.
    1. On the DNS Policies tab, verify that the Policy Action on DNS queries is sinkhole.
    2. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
      If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    3. Click OK to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select PoliciesSecurity and select a security policy rule.
    2. On the Actions tab, select the Log at Session Start check box to enable logging.
    3. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new profile.
    4. Click OK to save the policy rule.
  4. Test that the policy action is enforced by monitoring the activity on the firewall.
    1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
    2. Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.