Configure DNS Sinkholing

To enable DNS sinkholing, attach the default Anti-Spyware profile to a security policy rule (see Set Up Antivirus, Anti-Spyware, and Vulnerability Protection). DNS queries to any domain included in the Palo Alto Networks DNS signature source that you specify are resolved to the default Palo Alto Networks sinkhole IP address. The IP addresses currently are IPv4—sinkhole.paloaltonetworks.com and a loopback address IPv6 address—::1. These address are subject to change and can be updated with content updates.
  1. Enable DNS sinkholing for the custom list of domains in an external dynamic list.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Modify an existing profile, or select one of the existing default profiles and clone it.
    3. Name
      the profile and select the
      DNS Signatures
      tab.
    4. Verify that
      Palo Alto Network Content DNS Signatures
      is present in the
      DNS Signature Source
      .
    5. (
      Optional
      ) In the
      Packet Capture
      drop-down, select
      single-packet
      to capture the first packet of the session or
      extended-capture
      to set between 1-50 packets. You can then use the packet captures for further analysis.
  2. Verify the sinkholing settings on the Anti-Spyware profile.
    1. On the
      DNS Signatures
      tab, verify that the
      Action
      on DNS Queries
      is
      sinkhole
      .
    2. In the Sinkhole section, verify that
      Sinkhole
      is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
      If you want to modify the
      Sinkhole IPv4
      or
      Sinkhole IPv6
      address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
    3. Click
      OK
      to save the Anti-Spyware profile.
  3. Attach the Anti-Spyware profile to a Security policy rule.
    1. Select
      Policies
      Security
      and select a security policy rule.
    2. On the
      Actions
      tab, select the
      Log at Session Start
      check box to enable logging.
    3. In the Profile Setting section, click the
      Profile Type
      drop-down to view all
      Profiles
      . From the
      Anti-Spyware
      drop-down and select the new profile.
    4. Click
      OK
      to save the policy rule.
  4. Test that the policy action is enforced by monitoring the activity on the firewall.
    1. Select
      ACC
      and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
    2. Select
      Monitor
      Logs
      Threat
      and filter by
      (action eq sinkhole)
      to view logs on sinkholed domains.

Related Documentation