Use DNS Queries to Identify Infected Hosts on the Network
The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to a DNS query for a known malicious domain or to a custom domain so that you can identify hosts on your network that have been infected with malware. By default, DNS queries to any domain included in the Palo Alto Networks DNS signatures list is sinkholed to a Palo Alto Networks server IP address. The following topics provide details on how to enable DNS sinkholing for custom domains and how to identify infected hosts.

Related Documentation