Configure the Sinkhole IP Address to a Local Server on Your Network
By default, sinkholing is enabled for all Palo Alto Networks DNS signatures, and the sinkhole IP address is set to access a Palo Alto Networks server. Use the instructions in this section if you want to set the sinkhole IP address to a local server on your network.
You must obtain both an IPv4 and IPv6 address to use as the sinkhole IP addresses because malicious software may perform DNS queries using one or both of these protocols. The DNS sinkhole address must be in a different zone than the client hosts to ensure that when an infected host attempts to start a session with the sinkhole IP address, it will be routed through the firewall.
The sinkhole addresses must be reserved for this purpose and do not need to be assigned to a physical host. You can optionally use a honey-pot server as a physical host to further analyze the malicious traffic.
The configuration steps that follow use the following example DNS sinkhole addresses:
IPv4 DNS sinkhole address—10.15.0.20
IPv6 DNS sinkhole address—fd97:3dec:4d27:e37c:5:5:5:5
- Configure the sinkhole interface and zone.Traffic from the zone where the client hosts reside must route to the zone where the sinkhole IP address is defined, so traffic will be logged.Use a dedicated zone for sinkhole traffic, because the infected host will be sending traffic to this zone.
- Select NetworkInterfaces and select an interface to configure as your sinkhole interface.
- In the Interface Type drop-down, select Layer3.
- To add an IPv4 address, select the IPv4 tab and select Static and then click Add. In this example, add 10.15.0.20 as the IPv4 DNS sinkhole address.
- Select the IPv6 tab and click Static and then click Add and enter an IPv6 address and subnet mask. In this example, enter fd97:3dec:4d27:e37c::/64 as the IPv6 sinkhole address.
- Click OK to save.
- To add a zone for the sinkhole, select NetworkZones and click Add.
- Enter zone Name.
- In the Type drop-down select Layer3.
- In the Interfaces section, click Add and add the interface you just configured.
- Click OK.
- Enable DNS sinkholing.By default, sinkholing is enabled for all Palo Alto Networks DNS signatures. To change the sinkhole address to your local server, see Step Verify the sinkholing settings on the Anti-Spyware profile. in Configure DNS Sinkholing for a List of Custom Domains.
- Edit the security policy rule that allows traffic from
client hosts in the trust zone to the untrust zone to include the
sinkhole zone as a destination and attach the Anti-Spyware profile.Editing the Security policy rule(s) that allows traffic from client hosts in the trust zone to the untrust zone ensures that you are identifying traffic from infected hosts. By adding the sinkhole zone as a destination on the rule, you enable infected clients to send bogus DNS queries to the DNS sinkhole.
- Select PoliciesSecurity.
- Select an existing rule that allows traffic from the client host zone to the untrust zone.
- On the Destination tab, Add the Sinkhole zone. This allows client host traffic to flow to the sinkhole zone.
- On the Actions tab, select the Log at Session Start check box to enable logging. This will ensure that traffic from client hosts in the Trust zone will be logged when accessing the Untrust or Sinkhole zones.
- In the Profile Setting section, select the Anti-Spyware profile in which you enabled DNS sinkholing.
- Click OK to save the Security policy rule and then Commit.
- To confirm that you will be able to identify infected
hosts, verify that traffic going from the client host in the Trust
zone to the new Sinkhole zone is being logged.In this example, the infected client host is 192.168.2.10 and the Sinkhole IPv4 address is 10.15.0.20.
- From a client host in the trust zone, open
a command prompt and run the following command:
C:\>ping<sinkhole address>The following example output shows the ping request to the DNS sinkhole address at 10.15.0.2 and the result, which is Request timed out because in this example the sinkhole IP address is not assigned to a physical host:
C:\>ping 10.15.0.20 Pinging 10.15.0.20 with 32 bytes of data: Request timed out. Request timed out. Ping statistics for 10.15.0.20: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
- On the firewall, select MonitorLogsTraffic and
find the log entry with the Source 192.168.2.10 and Destination
10.15.0.20. This will confirm that the traffic to the sinkhole IP
address is traversing the firewall zones.You can search and/or filter the logs and only show logs with the destination 10.15.0.20. To do this, click the IP address (10.15.0.20) in the Destination column, which will add the filter (addr.dst in 10.15.0.20) to the search field. Click the Apply Filter icon to the right of the search field to apply the filter.
- From a client host in the trust zone, open a command prompt and run the following command:
- Test that DNS sinkholing is configured properly.You are simulating the action that an infected client host would perform when a malicious application attempts to call home.
- Find a malicious domain that is included
in the firewall’s current Antivirus signature database to test sinkholing.
- Select DeviceDynamicUpdates and in the Antivirus section click the Release Notes link for the currently installed antivirus database. You can also find the antivirus release notes that list the incremental signature updates under Dynamic Updates on the Palo Alto Networks support site.
- In the second column of the release note, locate a line item with a domain extension (for example, .com, .edu, or .net). The left column will display the domain name. For example, Antivirus release 1117-1560, includes an item in the left column named "tbsbana" and the right column lists "net".The following shows the content in the release note for this line item:
conficker:tbsbana 1 variants: net
- From the client host, open a command prompt.
- Perform an NSLOOKUP to a URL that you identified as
a known malicious domain.For example, using the URL track.bidtrk.com:
C:\>nslookup track.bidtrk.com Server: my-local-dns.local Address: 10.0.0.222 Non-authoritative answer: Name: track.bidtrk.com.org Addresses: fd97:3dec:4d27:e37c:5:5:5:510.15.0.20In the output, note that the NSLOOKUP to the malicious domain has been forged using the sinkhole IP addresses that we configured (10.15.0.20). Because the domain matched a malicious DNS signature, the sinkhole action was performed.
- Select MonitorLogsThreat and locate the corresponding threat log entry to verify that the correct action was taken on the NSLOOKUP request.
- Perform a ping to track.bidtrk.com, which will generate network traffic to the sinkhole address.
- Find a malicious domain that is included in the firewall’s current Antivirus signature database to test sinkholing.
Identify Infected Hosts
Identify Infected Hosts After you have configured DNS sinkholing and verified that traffic to a malicious domain goes to the sinkhole address, you should regularly ...
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
DNS Sinkholing DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule for detecting connections initiated by spyware and ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...
Review Threat Logs
Review Threat Logs To begin investigating the alert, use the threat ID to search the Threat logs on Panorama ( Monitor Logs Threat ). From ...
Create the Data Center Best Practice Anti-Spyware Profile
Protect your data center from spyware such as command-and-control, backdoor, data theft, and keylogging attacks. ...
Security Profiles While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...