DNS Sinkhole feature on Palo Alto Firewall

DNS Sinkhole feature on Palo Alto Firewalls

References:

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/60/pan-os/NewFeaturesGuide/section_3.pdf

https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Why use DNS Sinkhole?

Picture this that you have infected hosts on your network that are connecting to malicious websites, websites and portals that are totally not secure. DNS resolution and DNS queries play a vital role here in such communication.

When there is a DNS query for malicious domain, Palo Alto firewall can identify this and cause malicious domain to be resolved to a SINK HOLE IP ADDRESS that you provide/configure.

Palo Alto supports both IPv4 and IPv6 DNS Sinkhole address.

Configuring DNS Sinkhole on Palo Alto Firewall:

DNS Sinkhole configuration on Palo Alto firewall is as simple as including DNS sinkhole IPv4 address in antisypware security profile on Palo Alto.

This security profile will then be called in a security policy on the firewall allowing outbound DNS communication.

Important note here is that sinkhole address should belong to a zone on firewall other than the zone where DNS query is received.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s