How to Verify DNS Sinkholing on 9.0 and 9.1

To test DNS sinkhole functions it is best to get a new URL from the latest published list of malicious URLs.
To get this list go to the Device tab and select Dynamic Updates and check the release notes for the currently installed AV content.

The list will show up in a new window, simply scroll down the list until New Spyware Signatures is seen.

Select any Domain from the list. Be sure you only select the FQDN and not the signature.
The first part is the signature name Backdoor.bladabindi the second half is the FQDN which is the part you need to use to test.
For example Backdoor.bladabindi:flexin.duckdns.org the only part you need is flexin.duckdns.org.

When performing an Nslookup on a firewall with an OS of 8.1 we see the Palo Alto Sinkhole IP

Now with 9.0 we see the non authoritative answer but no address. This is because the response is a cname not an address.

If we type in >set type=cname we get the following.

As you can see the DNS request now returns the Cname of sinkhole.paloaltonetworks.com.


If you need an IP address to show it is recommended to use one of your own sinkhole IP addresses or the loopback address.

On 9.0 and 9.1 Palo Alto Networks DNS signature or DNS Security service does not resolve to sinkhole IP addresses. It will only resolve a Cname and only if you set nslookup to show it.
The request will still be sinkholed and blocked it just does not resolve an IP address.

If set to the loopback address or an address of your choosing the return will be that address, and the request will still be sinkholed.