DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query (that is, the firewall cannot see the originator of the DNS query). In a typical deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver as the source of the traffic rather than the actual infected host. Sinkholing malware DNS queries solves this visibility problem by forging responses to the client host queries directed at malicious domains, so that clients attempting to connect to malicious domains (for command-and-control, for example) will instead attempt to connect to a default Palo Alto Networks sinkhole IP address, or to a user-defined IP address as illustrated in
Configure DNS Sinkholing for a List of Custom Domains. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.
If you want to enable DNS sinkholing for Palo Alto Networks DNS signatures, attach the default Anti-Spyware profile to a security policy rule (see
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection). DNS queries to any domain included in the Palo Alto Networks DNS signatures will be resolved to the default Palo Alto Networks sinkhole IP address. The IP addresses currently are IPv4—18.104.22.168 and a loopback address IPv6 address—::1. These address are subject to change and can be updated with content updates.