PAN-OS 9.1

Log in to the NGFW.
To take advantage of DNS Security, you must have an active DNS Security and Threat Prevention subscription.
Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select
Device
Licenses
and verify that the appropriate licenses display and have not expired.
Verify that the
paloalto-dns-security
App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
Configure DNS Security signature policy settings to send malware DNS queries to the defined sinkhole.
If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, you can configure an EDL with an Alert action.
Select
Objects
Security Profiles
Anti-Spyware
.
Create or modify an existing profile, or select one of the existing default profiles and clone it.
Name
the profile and, optionally, provide a description.
Select the
DNS Signatures
>
Policies & Settings
tab.
If the
Palo Alto Networks
DNS Security
source is not present, click
Add
and select it from the list.
Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
(
Optional
) In the
Packet Capture
drop-down, select
single-packet
to capture the first packet of the session or
extended-capture
to set between 1-50 packets. You can then use the packet captures for further analysis.
In the
DNS Sinkhole Settings
section, verify that
Sinkhole
is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
Sinkhole
forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN (sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (72.5.65.111).
If you want to modify the
Sinkhole IPv4
or
Sinkhole IPv6
address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
Click
OK
to save the Anti-Spyware profile.

Attach the Anti-Spyware profile to a Security policy rule.
Select
Policies
Security
.
Select or create a
Security Policy Rule
.
On the
Actions
tab, select the
Log at Session End
check box to enable logging.
In the Profile Setting section, click the
Profile Type
drop-down to view all
Profiles
. From the
Anti-Spyware
drop-down and select the new or modified profile.
Click
OK
to save the policy rule.
Test that the policy action is enforced.
Access the following test domains to verify that the policy action for a given threat type is being enforced:
Malware—test-malware.testpanw.com
C2—test-c2.testpanw.com
DGA—test-dga.testpanw.com
DNS Tunneling—test-dnstun.testpanw.com
To monitor the activity on the firewall:
View the threat Activity and search for the URL test domain tand Blocked Activity for the domain you accessed.
Select
Monitor
Logs
Threat
and filter by
(action eq sinkhole)
to view logs on sinkholed domains.
For more monitoring options, see Monitor DNS Security
Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the Anti-Spyware profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional
dns-base
application with a source port of 853.
Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain