Posted by: Tony Tanzi, Security Consulting Engineer
DNS sinkholing is an action, introduced in PAN-OS 6.0, which can be enabled in Anti-Spyware profiles. A DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to a definable IP address. This feature can be used to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client’s DNS query (that is, the firewall cannot see the originator of the DNS query).
Steps
1. Make sure the latest Antivirus updates are installed on the Palo Alto Networks device.
2. Create a loopback interface (Network > Interfaces > Loopback) with the “sinkhole” IP address. The following example uses the “loopback.10″ interface:
3. Create an Anti-Spyware profile (Objects > Security Profiles > Anti-Spyware) where DNS sinkholing is enabled, and specify the IP address of the loopback interface:
4. Apply the Anti-Spyware profile on the security policy that allows DNS traffic from the internal network (or internal DNS server) to the internet:
5. Commit the configuration.
Once configured. You can monitor the threat log and even create a custom report to report on the action of ‘sinkhole’ in the threat logs. This can be used with the botnet report to provide two vectors of information for machines that based on their behavior, should be looked at.
Comm Solutions is a Palo Alto Networks Platinum Partner, to learn more visit: http://www.commsolutions.com/partners/palo-alto-networks/