DNS sinkholing helps you to identify infected hosts
on the protected network using DNS traffic in situations where the
firewall cannot see the infected client's DNS query (that is, the
firewall cannot see the originator of the DNS query). In a typical
deployment where the firewall is north of the local DNS server,
the threat log will identify the local DNS resolver as the source
of the traffic rather than the actual infected host. Sinkholing
malware DNS queries solves this visibility problem by forging responses
to the client host queries directed at malicious domains, so that clients
attempting to connect to malicious domains (for command-and-control,
for example) will instead attempt to connect to a default Palo Alto Networks
sinkhole IP address (or to an IP address that you define if you
choose to Configure
DNS Sinkholing for a List of Custom Domains). Infected hosts
can then be easily identified in the traffic logs.
If you want to enable DNS sinkholing for Palo Alto Networks DNS
signatures, attach the default Anti-Spyware profile to a security
policy rule (see Set
Up Antivirus, Anti-Spyware, and Vulnerability Protection).
DNS queries to any domain included in the Palo Alto Networks DNS signatures
will be resolved to the default Palo Alto Networks sinkhole IP address.