How to Configure DNS Sinkhole
Created On 09/25/18 17:30 PM - Last Modified 01/05/21 19:44 PM
An Internal DNS server causing the original source IP reference of an infected host to be lost.
Palo Alto Networks firewall.
DNS sinkhole can be used to identify infected hosts on a network where there is an internal DNS Server in-route to the firewall that causes the reference of the original source IP address of the host that first originated the query to be lost (the query is received by the Internal DNS Server, and the internal DNS Server sources a new query if the name-to-IP resolution is not locally cached).
This causes the firewall to report observations of malicious DNS queries in the Threat logs where the source IP of the malicious DNS query is the Internal DNS server, which would force the administrator to look into the DNS Server logs to try to trace down what was the infected host that originally sourced the malicious DNS query.