Enable DNS Security

Configure your firewall to enable DNS sinkholing using the DNS Security service.
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, enable the sinkhole action, and attach the profile to a security policy rule.
  1. Activate Subscription Licenses.
  2. Configure DNS signature policy settings to send malware DNS queries to the defined sinkhole.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name the profile and, optionally, provide a description.
    4. Select the DNS Signatures>Policies & Settings tab.
    5. If the Palo Alto NetworksDNS Security source is not present, click Add and select it from the list.
    6. Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
    7. (Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
    8. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
      If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    9. Click OK to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select PoliciesSecurity.
    2. Select or create a Security Policy Rule.
    3. On the Actions tab, select the Log at Session End check box to enable logging.
    4. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new or modified profile.
    5. Click OK to save the policy rule.
  4. Test that the policy action is enforced.
    1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
    2. To monitor the activity on the firewall:
      1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
      2. Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
  5. Identify Infected Traffic Hosts in the Traffic Logs
  6. (Optional) Add domain signature exceptions in cases where false-positives occur.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Signatures > Exceptions.
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the DNS Threat ID for the DNS signature that you want to exclude from enforcement.
    6. Click OK to save your new or modified Anti-Spyware profile.

Related Documentation