Configure DNS Sinkholing for a List of Custom Domains

To enable DNS Sinkholing for a custom list of domains, you must create an external dynamic list that includes the domains, enable the sinkhole action in an Anti-Spyware profile and attach the profile to a security policy rule. When a client attempts to access a malicious domain in the list, the firewall forges the destination IP address in the packet to the default Palo Alto Networks server or to a user-defined IP address for sinkholing.
For each custom domain included in the external dynamic list, the firewall generates DNS-based spyware signatures. The signature is named Custom Malicious DNS Query <domain name>, and is of type spyware with medium severity; each signature is a 24-byte hash of the domain name.
Each firewall platform supports a maximum of 50,000 domain names total in one or more External Dynamic List but no maximum limit is enforced for any one list.
  1. Enable DNS sinkholing for the custom list of domains in an external dynamic list.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name
      the profile and select the
      DNS Signatures
      tab.
    4. Add
      an
      External Dynamic List
      . When you configure the external dynamic list from the Anti-Spyware profile, the
      Type
      is preset to
      Domain List
      .
      If you have already created an external dynamic list of type: Domain List, you can select it from here. The drop-down does not display external dynamic lists of type URL or IP Address that you may have created.
      Use MineMeld to generate an external dynamic list based on the contents of multiple threat feeds.
    5. Configure access to the external dynamic list.
      1. Enter a descriptive
        Name
        for the list.
      2. Enter the
        Source
        for the list you just created on the web server. The source must include the full path to access the list. For example, https://1.2.3.4/EDL_IP_2015.
      3. Populate the list with domain names. See Formatting Guidelines for an External Dynamic List.
      4. Click
        Test Source URL
        to verify that the firewall can connect to the list on the web server.
        If the web server is unreachable after the connection is established, the firewall or Panorama uses the last successfully retrieved list for enforcing policy until the connection is restored with the web server.
      5. (
        Optional
        ) Specify the
        Repeat
        frequency at which the firewall retrieves the list. By default, the list is retrieved once every hour.
      6. Click
        OK
        .
    6. (
      Optional
      ) In the
      Packet Capture
      drop-down, select
      single-packet
      to capture the first packet of the session or
      extended-capture
      to set between 1-50 packets. You can then use the packet captures for further analysis.
  2. Verify the sinkholing settings on the Anti-Spyware profile.
    1. On the
      DNS Signatures
      tab, verify that the
      Action
      on DNS Queries
      is
      sinkhole
      .
    2. In the Sinkhole section, verify that
      Sinkhole
      is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
      If you want to modify the
      Sinkhole IPv4
      or
      Sinkhole IPv6
      address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      EDL_AntiSpyware.PNG
    3. Click
      OK
      to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select
      Policies
      Security
      .
    2. On the
      Actions
      tab, select the
      Log at Session Start
      check box to enable logging.
    3. In the Profile Setting section, click the
      Profile Type
      drop-down to view all
      Profiles
      . From the
      Anti-Spyware
      drop-down and select the new profile.
    4. Click
      OK
      to save the policy rule.
  4. Test that the policy action is enforced.
    1. Access a domain in the external dynamic list.
    2. To monitor the activity on the firewall:
      1. Select
        ACC
        and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
      2. Select
        Monitor
        Logs
        Threat
        and filter by (
        actioneq sinkhole
        ) to view logs on sinkholed domains.
  5. Verify whether entries in the external dynamic list are ignored or skipped.
    In a list of type URL, the firewall skips entries that are not URLs as invalid and ignores entries that exceed the maximum limit for the platform.
    Use the following CLI command on the firewall to review the details about the list.
    request system external-list show type domain name <list_name>
    For example:
    request system external-list show type domain name My_List_of_Domains_2015 vsys1/EBLDomain: Next update at : Thu May 21 10:15:39 2015 Source     :https://1.2.3.4/My_List_of_Domains_2015 Referenced : Yes Valid      : Yes Number of entries : 3 domains: www.example.com baddomain.com qqq.abcedfg.com
  6. (Optional) Retrieve the external dynamic list on-demand.
    To force the firewall to retrieve the updated list on-demand instead of at the next refresh interval (the
    Repeat
    frequency you defined for the external dynamic list), use the following CLI command:
    request system external-list refresh type domain name
    <list_name>

Related Documentation