Configure DNS Sinkholing
Focus
Focus
Advanced Threat Prevention

Configure DNS Sinkholing

Table of Contents

Configure DNS Sinkholing

Where Can I Use This?
What Do I Need?
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series
  • Advanced Threat Prevention or Threat Prevention License
To enable DNS sinkholing, attach the default Anti-Spyware profile to a firewall security policy rule (see Set Up Antivirus, Anti-Spyware, and Vulnerability Protection). DNS queries to any domain included in the Palo Alto Networks DNS signature source that you specify are resolved to the default Palo Alto Networks sinkhole IP address. The IP addresses currently are IPv4—sinkhole.paloaltonetworks.com and a loopback address IPv6 address—::1. These address are subject to change and can be updated with content updates.
  1. Enable DNS sinkholing for the custom list of domains in an external dynamic list.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name
      the profile and select the
      DNS Policies
      tab.
    4. Verify that
      default-paloalto-dns
      is present in the
      Signature Source
      .
    5. (
      Optional
      ) In the
      Packet Capture
      drop-down, select
      single-packet
      to capture the first packet of the session or
      extended-capture
      to set between 1-50 packets. You can then use the packet captures for further analysis.
  2. Verify the sinkholing settings on the Anti-Spyware profile.
    1. On the
      DNS Policies
      tab, verify that the
      Policy Action
      on DNS queries is
      sinkhole
      .
    2. In the DNS Sinkhole Settings section, verify that
      Sinkhole
      is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
      If you want to modify the
      Sinkhole IPv4
      or
      Sinkhole IPv6
      address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    3. Click
      OK
      to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select
      Policies
      Security
      and select a security policy rule.
    2. On the
      Actions
      tab, select the
      Log at Session Start
      check box to enable logging.
    3. In the Profile Setting section, click the
      Profile Type
      drop-down to view all
      Profiles
      . From the
      Anti-Spyware
      drop-down and select the new profile.
    4. Click
      OK
      to save the policy rule.
  4. Test that the policy action is enforced by monitoring the activity on the firewall.
    1. Select
      ACC
      and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
    2. Select
      Monitor
      Logs
      Threat
      and filter by
      (action eq sinkhole)
      to view logs on sinkholed domains.

Recommended For You