Configure your firewall to enable DNS sinkholing using
the DNS Security service.
To enable DNS sinkholing for domain queries
using DNS security, you must activate your DNS Security subscription,
create (or modify) an Anti-Spyware policy to reference the DNS Security
service, configure the log severity and policy settings for each
DNS signature category, and then attach the profile to a security
policy rule.
Configure DNS signature policy settings to send malware
DNS queries to the defined sinkhole.
Select
Objects
Security Profiles
Anti-Spyware
.
Create or modify an existing profile, or select one
of the existing default profiles and clone it.
Name
the profile and, optionally, provide
a description.
Select the
DNS Policies
tab.
In the
Signature Source
column, beneath
the DNS Security heading, there are individually configurable DNS
signature sources, which allow you to define separate policy actions
as well as a log severity level.
Palo Alto Networks recommends changing your default
DNS Policies settings for signature sources to ensure optimum coverage
as well as to assist with incidence response and remediation. Follow
the best practices for configuring your DNS Security settings as
outlined in Best Practices for Securing
Your Network from Layer 4 and Layer 7 Evasions.
Specify the log severity level that is recorded
when the firewall detects a domain matching a DNS signature. For
more information about the various log severity levels, refer to Threat Severity Levels.
Select an action to be taken when DNS lookups are made to known
malware sites for the DNS Security signature source. The options
are alert, allow, block, or sinkhole. Verify that the action is
set to sinkhole.
In the
Packet Capture
drop-down, select
single-packet
to
capture the first packet of the session or
extended-capture
to
set between 1-50 packets. You can then use the packet captures for
further analysis.
In the
DNS
Sinkhole Settings
section, verify that
Sinkhole
is
enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com)
is set to access a Palo Alto Networks server. Palo Alto Networks
can automatically refresh this address through content updates.
(Optional) Add domain signature exceptions in cases where false-positives
occur.
Select
Objects
Security Profiles
Anti-Spyware
.
Select a profile to modify.
Add
or modify the Anti-Spyware
profile from which you want to exclude the threat signature, and
select
DNS Exceptions
.
Search for a DNS signature to exclude by entering
the name or FQDN.
Select the checkbox for each
Threat
ID
of the DNS signature that you want to exclude from
enforcement.
Click
OK
to save your new or
modified Anti-Spyware profile.
(Optional) Add an allow list to specify a list of DNS
domains / FQDNs to be explicitly allowed.
Select
Objects
Security Profiles
Anti-Spyware
.
Select a profile to modify.
Add
or modify the Anti-Spyware
profile from which you want to exclude the threat signature, and
select
DNS Exceptions
.
To
Add
a new
FQDN
Allow List
, provide the DNS domain or FQDN location
and a description.
Click
OK
to save your new or
modified Anti-Spyware profile.
(Optional) Verify your firewall’s connectivity to the
DNS Security service. If you cannot reach the service, verify that
the following domain is not being blocked: dns.service.paloaltonetworks.com.
Use the following CLI command on the firewall to verify
your firewall’s connection availability to the DNS Security service.
show dns-proxy dns-signature info
For
example:
show dns-proxy dns-signture info
Cloud URL: dns.service.paloaltonetworks.com:443
Telemetry URL: io.dns.service.paloaltonetworks.com:443
Last Result: None
Last Server Address:
Parameter Exchange: Interval 300 sec
Allow List Refresh: Interval 43200 sec
Request Waiting Transmission: 0
Request Pending Response: 0
Cache Size: 0
(Optional) Retrieve a specified domain’s transaction
details, such as latency, TTL, and the signature category.
Use the following CLI command on the firewall to review
the details about the list.
test dns-proxy dns-signature fqdn
For
example:
test dns-proxy dns-signature fqdn www.yahoo.com
DNS Signature Query [ www.yahoo.com ]
Completed in 178 ms
DNS Signature Response
Entries: 2
Domain Category GTID TTL
-------------------------------------------------------------------------------------------------
*.yahoo.com Benign 0 86400
www.yahoo.com Benign 0 3600
(Optional) Configure the DNS signature lookup timeout
setting. If the firewall is unable to retrieve a signature verdict
in the allotted time due to connectivity issues, the request, including
all subsequent DNS responses, are passed through. You can check
the average latency to verify that the requests fall within the
configured period. If the average latency exceeds the configured period,
consider updating the setting to a value that is higher than the
average latency to prevent requests from timing out.
In the CLI, issue the following command
to view the average latency.
show dns-proxy dns-signature
counters
The default timeout is 100 milliseconds.
Scroll down through the output to the latency section
under the Signature query API heading and verify that the average
latency falls within the defined timeout period. This latency indicates
the amount of time it takes, on average, to retrieve a signature
verdict from the DNS security service. Additional latency statistics
for various latency periods can be found below the averages.
Signature query API:
.
.
.
[latency ] :
max 1870 (ms) min 16(ms) avg 27(ms)
50 or less : 47246
100 or less : 113
200 or less : 25
400 or less : 15
else : 21
If the average latency is consistency above the default
timeout value, you can raise the setting so that the requests fall
within a given period. Select
Device > Content-ID
and
update the
Realtime Signature Lookup
setting.
Commit the changes.
To view sinkholed DNS queries, refer to the firewall threat
logs (