References:
https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523
Why use DNS Sinkhole?
Picture this that you have infected hosts on your network that are connecting to malicious websites, websites and portals that are totally not secure. DNS resolution and DNS queries play a vital role here in such communication.
When there is a DNS query for malicious domain, Palo Alto firewall can identify this and cause malicious domain to be resolved to a SINK HOLE IP ADDRESS that you provide/configure.
Palo Alto supports both IPv4 and IPv6 DNS Sinkhole address.
Configuring DNS Sinkhole on Palo Alto Firewall:
DNS Sinkhole configuration on Palo Alto firewall is as simple as including DNS sinkhole IPv4 address in antisypware security profile on Palo Alto.
This security profile will then be called in a security policy on the firewall allowing outbound DNS communication.
Important note here is that sinkhole address should belong to a zone on firewall other than the zone where DNS query is received.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891
Networking & Security 