>
    Strata Copilot
    Manage DNS Sinkhole Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure Advanced DNS Security Resolver
    4. Manage DNS Sinkhole Settings
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Manage DNS Sinkhole Settings

    Table of Contents

    Manage DNS Sinkhole Settings

    Describes how to manage the DNS sinkhole configuration for your Advanced DNS Security Resolver.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced DNS Security Resolver License
    The sinkhole is used to redirect malicious or otherwise unwanted DNS queries to a non-routable IP address, which provides a controlled environment to assist in identifying infected systems that attempt to connect to malicious domains. Palo Alto Networks provides a default sinkhole server; alternately, you can also configure multiple custom servers (up to 10) of your choosing. Additionally, if you decide to use the default sinkhole server, you can also enable and configure a block page that is displayed to users when they attempt to query a malicious DNS server.
    1. Log in to the Strata Cloud Manager on the hub.
    2. Select ConfigurationADNS Resolver.
    3. In the DNS Sinkhole Settings, select the edit icon
      to modify your DNS sinkhole configuration.
    4. You can use the Palo Alto Networks Sinkhole as the default or add additional custom, user-defined sinkholes, and select one of those as the default.
      • Palo Alto Networks Sinkhole
        The Palo Alto Networks is automatically configured as the default sinkhole; additionally, it cannot be deleted or reconfigured to use an alternate sinkhole IP address/FQDN. However, you can define the contents of the browser warning page, also referred to as the block page, that displays when a DNS request is sinkholed.
        1. Select Palo Alto Networks Sinkhole Setting tab and provide the following details:
        2. (Optional) For custom block pages, specify an image (up to 500kb), the logging attributes associated with the blocked domain request, and message for the block page.
        3. For endpoint devices to access the block page, you must Download Palo Alto Networks Root Certificate and install it onto all firewalls, enterprise browsers such as PAB, endpoints or the SSL forward proxy. Failure to do so will render the block page inaccessible.
      • Custom Sinkhole
        You can add up to 10 custom, user-defined sinkholes, in addition to the Palo Alto Networks Sinkhole, which cannot be deleted or modified. Any one of these can be configured as the default sinkhole.
        1. Select Default Sinkhole Setting tab.
        2. Select + Add to open a sinkhole entry and provide the Name and Sinkhole IP Address/FQDN of the server.
          Custom DNS sinkhole servers must have an IPv4 address and a custom root certificate.
        3. Repeat the above steps to add additional custom sinkholes.
    5. If you have multiple sinkholes configured for the Advanced DNS Security Resolver, you can select any definition as the default. The default sinkhole is used globally, and is automatically applied to all DNS Security Profile Categories, Overrides actions, Custom FQDN Lists, and EDL Definitions that have already been configured to use the default sinkhole (Sinkhole (Default)). Alternatively, you can also explicitly define a specific sinkhole for specific configurations.
      You cannot delete a custom sinkhole that is in use. Remove all in-use references to the custom sinkhole before deleting the custom sinkhole setting.
    6. Select Save when finished.
    7. You can preview the block page from the DNS Sinkhole Settings pane in the DNS Resolver Configurations tab.
      By default, the following block page contents are displayed:

    © 2026 Palo Alto Networks, Inc. All rights reserved.