How to Configure DNS Sinkhole
An Internal DNS server causing the original source IP reference of an infected host to be lost.
Palo Alto Networks firewall.
A DNS sinkhole can be utilized to identify compromised hosts within a network where an internal DNS server is present in the path towards the firewall. In this scenario, the original source IP address of the host initiating the query is lost due to the internal DNS server intercepting the query. The internal DNS server initiates a new query if the name-to-IP resolution is not stored locally.
Consequently, this leads to the firewall registering instances of suspicious DNS queries in the Threat logs, with the source IP being that of the internal DNS server. This necessitates the administrator to delve into the DNS server logs in an attempt to trace the infected host that originally triggered the malicious DNS query.