Manage DNS Sinkhole Settings

Table of Contents

Monitor DNS Security Subscription Services

Manage DNS Sinkhole Settings

Describes how to manage the DNS sinkhole configuration for your Advanced DNS Security Resolver.

Where Can I Use This?	What Do I Need?
Strata Cloud Manager	Advanced DNS Security Resolver License

The sinkhole is used to redirect malicious or otherwise unwanted DNS queries to IPv4 or IPv6 addresses, which provide a controlled environment to assist in identifying infected systems that attempt to connect to malicious domains. Palo Alto Networks provides a default sinkhole server; alternately, you can also configure multiple custom servers (up to 10) of your choosing. Additionally, if you decide to use the default sinkhole server, you can also enable and configure a block page that is displayed to users when they attempt to query a malicious DNS server.

If an IPv6 address is not used for your sinkhole configuration, the Advanced DNS Security Resolver prioritizes returning an IPv6-converted IPv4 address. In the event that conversion is unavailable, an NXDOMAIN response is issued.

Log in to the Strata Cloud Manager on the hub.
Select ConfigurationADNS Resolver.
In the DNS Sinkhole Settings, select the edit icon

to modify your DNS sinkhole configuration.
You can use the Palo Alto Networks Sinkhole as the default or add additional custom, user-defined sinkholes, and select one of those as the default.
- Palo Alto Networks Sinkhole
  The Palo Alto Networks is automatically configured as the default sinkhole; additionally, it cannot be deleted or reconfigured to use an alternate sinkhole IP address/FQDN. However, you can define the contents of the browser warning page, also referred to as the block page, that displays when a DNS request is sinkholed.
  1. Select Palo Alto Networks Sinkhole Setting tab and provide the following details:
  2. (Optional) For custom block pages, specify an image (up to 500kb), the logging attributes associated with the blocked domain request, and message for the block page.
  3. For endpoint devices to access the block page, you must Download Palo Alto Networks Root Certificate and install it onto all firewalls, enterprise browsers such as PAB, endpoints or the SSL forward proxy. Failure to do so will render the block page inaccessible.
- Custom Sinkhole
  You can add up to 10 custom, user-defined sinkholes, in addition to the Palo Alto Networks Sinkhole, which cannot be deleted or modified. Any one of these can be configured as the default sinkhole. If you are using an IP address, it must be a valid IPv4 IP or IPv6 IP address.
  1. Select Default Sinkhole Setting tab.
  2. Select + Add to open a sinkhole entry and provide the Name and Sinkhole IP Address/FQDN of the server.
    
    Custom DNS sinkhole servers must have an IPv4 or IPv6 address and a custom root certificate.
  3. Repeat the above steps to add additional custom sinkholes.
If you have multiple sinkholes configured for the Advanced DNS Security Resolver, you can select any definition as the default. The default sinkhole is used globally, and is automatically applied to all DNS Security Profile Categories, Overrides actions, Custom FQDN Lists, and EDL Definitions that have already been configured to use the default sinkhole (Sinkhole (Default)). Alternatively, you can also explicitly define a specific sinkhole for specific configurations.

You cannot delete a custom sinkhole that is in use. Remove all in-use references to the custom sinkhole before deleting the custom sinkhole setting.
Select Save when finished.
You can preview the block page from the DNS Sinkhole Settings pane in the DNS Resolver Configurations tab.

By default, the following block page contents are displayed: