Configure DNS Sinkholing for a List of Custom Domains
To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic List that includes the domains, enable the sinkhole action in an Anti-Spyware profile and attach the profile to a security policy rule. When a client attempts to access a malicious domain in the list, the firewall forges the destination IP address in the packet to the default Palo Alto Networks server or to a user-defined IP address for sinkholing.
For each custom domain included in the external dynamic list, the firewall generates DNS-based spyware signatures. The signature is named Custom Malicious DNS Query <domain name>, and is of type spyware with medium severity; each signature is a 24-byte hash of the domain name.
Each firewall model supports a maximum of 50,000 domain names total in one or more external dynamic lists but no maximum limit is enforced for any one list.
- Enable DNS sinkholing for the custom list of domains in an external dynamic list.
- Select.ObjectsSecurity ProfilesAnti-Spyware
- Modify an existing profile, or select one of the existing default profiles and clone it.
- Namethe profile and select theDNS Signaturestab.
- ClickAddand selectExternal Dynamic Listsin the drop-down.If you have already created an external dynamic list of type:Domain List, you can select it from here. The drop-down does not display external dynamic lists of type URL or IP Address that you may have created.
- Configure the external dynamic list from the Anti-Spyware profile (see Configure the Firewall to Access an External Dynamic List). TheTypeis preset toDomain List.
- (Optional) In thePacket Capturedrop-down, selectsingle-packetto capture the first packet of the session orextended-captureto set between 1-50 packets. You can then use the packet captures for further analysis.
- Verify the sinkholing settings on the Anti-Spyware profile.
- On theDNS Signaturestab, verify that theActionon DNS Queriesissinkhole.
- In the Sinkhole section, verify thatSinkholeis enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
- ClickOKto save the Anti-Spyware profile.
- Attach the Anti-Spyware profile to a Security policy rule.
- On theActionstab, select theLog at Session Startcheck box to enable logging.
- In the Profile Setting section, click theProfile Typedrop-down to view allProfiles. From theAnti-Spywaredrop-down and select the new profile.
- ClickOKto save the policy rule.
- Test that the policy action is enforced.
- View External Dynamic List Entries that belong to the domain list, and access a domain from the list.
- To monitor the activity on the firewall:
- SelectACCand add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
- Selectand filter byMonitorLogsThreat(action eq sinkhole)to view logs on sinkholed domains.
- Verify whether entries in the external dynamic list are ignored or skipped.Use the following CLI command on the firewall to review the details about the list.request system external-list show type domain name<list_name>For example:request system external-list show type domain name My_List_of_Domains_2015 vsys1/EBLDomain: Next update at : Thu May 21 10:15:39 2015 Source : https://188.8.131.52/My_List_of_Domains_2015 Referenced : Yes Valid : Yes Number of entries : 3 domains:www.example.com baddomain.com qqq.abcedfg.com
- (Optional) Retrieve the external dynamic list on-demand.To force the firewall to retrieve the updated list on-demand instead of at the next refresh interval (theRepeatfrequency you defined for the external dynamic list), use the following CLI command:request system external-list refresh type domain name<list_name>