DNS sinkhole is a way to spoof DNS servers to prevent resolving host names of suspected malicious URLs. This is achieved by configuring the DNS forwarder to return a false IP address to a specific URL. DNS sinkholing can be used to prevent access of malicious URLs in an enterprise level. Access to those malicious URLs can then be blocked by adding a security policy to deny access to the false IP address. Please watch the video below to learn how to Configure DNS Sinkhole on a Palo Alto Networks firewall.
Video Transcript: How to Configure DNS Sinkhole
Hello, this is Joe Delio from the Palo Alto Networks Community team.
In this video tutorial, I will be covering How to Configure DNS Sinkhole.
I will show you how to configure DNS Sinkhole on a Palo Alto Networks firewall.
Also, If you need to know how to verify your DNS Sinkhole config, please refer to this article: How to Verify DNS Sinkhole: and I'll be covering that in a different tutorial video.
Starting with PAN-OS 6.0, DNS sinkhole is a new action that can be enabled in Anti-Spyware profiles.
Make sure the latest Antivirus updates are installed on the Palo Alto Networks device.
Configure the DNS Sinkhole Protection inside an Anti-Spyware profile.
Place the Anti-Spyware profile in the outbound internet rule.
Configure a security policy rule to block access to the IP address chosen in Step 2.
Step 1. Make sure the latest Antivirus updates are installed on the Palo Alto Networks device
Let's begin by logging into the WebGUI, and into the Device, then Dynamic Updates on the left.
Click Check Now in the lower left, then please make sure that your Anti-Virus updates are current.
If they are now, please do that before proceeding. You can always configure Automatic Updates if they are not set up.
Important! You need to have a paid Anti-virus subscription for the DNS Sinkhole function to work properly.
Step 2. Configure the DNS Sinkhole Protection inside an Anti-Spyware profile
Next, let's configure the Anti-Spyware profile.
Select Objects, then Anti-Spyware under Security Profiles on the left.
You have to use either an existing profile or create a new profile. For simplicity, I'm going to reuse a profile I already have, 'alert-all.'
Click the name of the profile, alert-all, then select DNS Signatures.
The first thing you need to do is change the 'Action on DNS queries' from alert to sinkhole.
Then click in the Sinkhole IPv4 field and type in the fake IP. I am using 220.127.116.11 for simplicity, but as long as the IP is not used inside your network, then you should be OK.
Note: Something very important when choosing this 'fake IP.' This IP address needs to be a fictitious IP address that cannot exist anywhere inside your network. DNS and the HTTP traffic have to travel through the firewall for it to detect the malicious URL, then stop access to the fake IP. If the fake IP is routed to a different location, and not through the firewall, then this will not work properly.
Next, select Sinkhole IPv6 and enter a fake IPv6 IP. Even if you do not use IPv6 yet, you still need to enter something. If you do not know what to use, ::1 should be OK to use. Click OK.
Note: If you do not type in anything for the Sinkhole IPv6 field, you will not be able to click OK.
Notice how all of the Rule Names, severity and actions are already complete? This is why I decided to choose an Anti-Spyware profile that was already there.
Step 3. Place the Anti-Spyware profile in the outbound internet rule
After that is complete, we need to ensure that the security rule for outbound traffic (for DNS request) is using that Anti-spyware profile.
Select Policies, and then Security on the left side.
Inside your rules, locate the rule that allows DNS traffic outbound, click on the name, go to the Actions tab, and make sure that the proper Anti-Spyware profile is selected. Click OK.
Step 4. Configure a security policy rule to block access to the IP address chosen in Step 2
One last thing—you need to have a security rule that blocks all access to the fake IP 18.104.22.168 and ::1 if you are using IPv6. There is no need for an application, as you want to stop all access before the application is determined. If you need to be granular, then you can add Service HTTP(80) and HTTPS(443) but it is not needed. Then make sure that the action is to block.
After you commit the change, you are done.
In the follow-on to this video, How to Verify DNS Sinkhole is Working, we'll test and verify that you have this set up and working properly. If you would prefer an article, please use the link inside the transcript near the bottom.