Configure DNS Sinkholing for a List of Custom Domains
To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic List that includes the domains, enable the sinkhole action in an Anti-Spyware profile and attach the profile to a security policy rule. When a client attempts to access a malicious domain in the list, the firewall forges the destination IP address in the packet to the default Palo Alto Networks server or to a user-defined IP address for sinkholing.
For each custom domain included in the external dynamic list, the firewall generates DNS-based spyware signatures. The signature is named Custom Malicious DNS Query <domain name>, and is of type spyware with medium severity; each signature is a 24-byte hash of the domain name.
Each firewall model supports a maximum of 50,000 domain names total in one or more external dynamic lists but no maximum limit is enforced for any one list.
- Enable DNS sinkholing for the custom list of domains
in an external dynamic list.
- Select ObjectsSecurity ProfilesAnti-Spyware.
- Modify an existing profile, or select one of the existing default profiles and clone it.
- Name the profile and select the DNS Signatures tab.
- Click Add and select External
Dynamic Lists in the drop-down.If you have already created an external dynamic list of type: Domain List, you can select it from here. The drop-down does not display external dynamic lists of type URL or IP Address that you may have created.
- Configure the external dynamic list from the Anti-Spyware profile (see Configure the Firewall to Access an External Dynamic List). The Type is preset to Domain List.
- (Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
- Verify the sinkholing settings on
the Anti-Spyware profile.
- On the DNS Signatures tab, verify that the Actionon DNS Queries is sinkhole.
- In the
Sinkhole section, verify that Sinkhole is
enabled. For your convenience, the default Sinkhole IP address is
set to access a Palo Alto Networks server. Palo Alto Networks can
automatically refresh this IP address through content updates.If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
- Click OK to save the Anti-Spyware profile.
- Attach the Anti-Spyware profile
to a Security policy rule.
- Select PoliciesSecurity.
- On the Actions tab, select the Log at Session Start check box to enable logging.
- In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new profile.
- Click OK to save the policy rule.
- Test that the policy action is enforced.
- View External Dynamic List Entries that belong to the domain list, and access a domain from the list.
- To monitor the activity on the firewall:
- Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
- Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
- Verify whether entries in the external dynamic list are
ignored or skipped.Use the following CLI command on the firewall to review the details about the list.
request system external-list show type domain name<list_name>For example:
request system external-list show type domain name My_List_of_Domains_2015 vsys1/EBLDomain: Next update at : Thu May 21 10:15:39 2015 Source : https://188.8.131.52/My_List_of_Domains_2015 Referenced : Yes Valid : Yes Number of entries : 3 domains:www.example.com baddomain.com qqq.abcedfg.com
- (Optional) Retrieve the external dynamic list
on-demand.To force the firewall to retrieve the updated list on-demand instead of at the next refresh interval (the Repeat frequency you defined for the external dynamic list), use the following CLI command:
request system external-list refresh type domain name <list_name>
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...
Configure the Sinkhole IP Address to a Local Server on Your...
Configure the Sinkhole IP Address to a Local Server on Your Network By default, sinkholing is enabled for all Palo Alto Networks DNS signatures, and ...
Enforce Policy on an External Dynamic List
Enforce Policy on an External Dynamic List Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use an ...
External Dynamic List
External Dynamic List An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import ...
Identify Infected Hosts
Identify Infected Hosts After you have configured DNS sinkholing and verified that traffic to a malicious domain goes to the sinkhole address, you should regularly ...
Objects > External Dynamic Lists
Objects > External Dynamic Lists An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names ...
DNS Sinkholing DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...