Prior to PAN-OS 7.1, you could only use the DNS-based signatures available on the firewall to configure DNS sinkholing. Now, if you subscribe to third-party threat intelligence and want to protect your network from new sources of threat or malware listed in the feed, you can create an external dynamic list for domain names to give you the agility to protect your network.
An external dynamic list (formerly called a Dynamic Block List) is a text file that you host on an external web server. In addition to IP addresses and URLs, you can now use this list to import domain names into the firewall so that you can enforce policy—block, alert, sinkhole, or allow—on the domains you include in the list. This enhancement allows you to configure the firewall to create DNS-based spyware signatures for a custom or third-party list of domains so that you can use intelligence from other sources to enable DNS sinkholing of malicious DNS traffic. The firewall dynamically imports the list at the configured interval and enforces policy for the domains included in that list without requiring a configuration change or commit on the firewall. The DNS-based spyware signature that the firewall generates for a custom domain name is of type spyware with medium severity and is named Custom Malicious DNS Query <domain name> .
On each firewall platform, you can configure a maximum of 30 unique sources for External dynamic lists; these limits are not applicable to Panorama. When using Panorama to manage a firewall that is enabled for multiple virtual systems, a commit error displays on Panorama if you exceed the limit for the firewall. Each firewall platform supports a maximum of 50,000 domain names combined in one or more external dynamic lists but no maximum limit is enforced for any one list. A source is a URL that includes the IP address or hostname, the path, and the filename for the external dynamic list. The firewall matches the URL (complete string) to determine whether a source is unique.
Use an External Block List in an Anti-Spyware Profile for Sinkholing Custom Domains
Create an external dynamic list and host it on a web server that the firewall can access. Use the formatting guidelines for the list. The 50,000 domain name limit is for generating signatures for entries in external dynamic lists. Palo Alto Networks DNS signatures do not count towards this limit.
Configure the firewall to access the external dynamic list.
Use the external dynamic list in an Anti-Spyware profile and enforce policy .

Related Documentation