To enable DNS sinkholing, attach the default
Anti-Spyware profile to a security policy rule (see Set Up Antivirus,
Anti-Spyware, and Vulnerability Protection). DNS queries
to any domain included in the Palo Alto Networks DNS signature source
that you specify are resolved to the default Palo Alto Networks
sinkhole IP address. The IP addresses currently are IPv4—sinkhole.paloaltonetworks.com
and a loopback address IPv6 address—::1. These address are subject
to change and can be updated with content updates.
Enable DNS sinkholing for the custom list of domains
in an external dynamic list.
Select
Objects
Security Profiles
Anti-Spyware
.
Modify an existing profile, or select one of the existing
default profiles and clone it.
Name
the profile and select
the
DNS Signatures
tab.
Verify that
Palo Alto Network Content DNS
Signatures
is present in the
DNS Signature
Source
.
(
Optional
) In the
Packet Capture
drop-down,
select
single-packet
to capture the first
packet of the session or
extended-capture
to
set between 1-50 packets. You can then use the packet captures for
further analysis.
Verify the sinkholing settings on
the Anti-Spyware profile.
On the
DNS Signatures
tab,
verify that the
Action
on DNS
Queries
is
sinkhole
.
In the
Sinkhole section, verify that
Sinkhole
is
enabled. For your convenience, the default Sinkhole IP address is
set to access a Palo Alto Networks server. Palo Alto Networks can
automatically refresh this IP address through content updates.