https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239930#M6391 <P>Outstanding research!</P> Mon, 13 Oct 2025 17:21:35 GMT TomYoung 2025-10-13T17:21:35Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1238869#M6334 <P>The DNS sinkhole option works perfectly well with a Microsoft DNS environment. Unfortunately, it fails if you try to perform DNS-sinkhole injection in front of a BIND DNS server running on Red Hat Linux. Requests to malicious domains simply time out:</P> <P>&nbsp;</P> <P>Test-Domain from PaloAlto (works fine):<BR />nslookup -query=cname test-c2.testpanw.com<BR />test-c2.testpanw.com canonical name = sinkhole.paloaltonetworks.com</P> <P>&nbsp;</P> <P>Malicious-Domain (should display the sinkhole cname instead of a timeout):<BR />nslookup -query=cname apleona.co<BR />DNS request timed out</P> <P>&nbsp;</P> <P>Has anyone else experienced anything similar?</P> Fri, 26 Sep 2025 06:09:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1238869#M6334 HeinzP 2025-09-26T06:09:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239121#M6354 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/901194817">@HeinzP</a>&nbsp;,</P> <P>&nbsp;</P> <P>Here is a related discussion.&nbsp;&nbsp;<A href="https://www.reddit.com/r/dns/comments/p6g2lq/cant_resolve_some_sites_using_our_internal/" target="_blank">https://www.reddit.com/r/dns/comments/p6g2lq/cant_resolve_some_sites_using_our_internal/</A></P> <P>&nbsp;</P> <P>That person also had the same issue.&nbsp; Unless someone else posts the solution, you will need to open a TAC case.&nbsp; At least my response will put this thread on the top of the queue so others may see it.&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 30 Sep 2025 15:32:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239121#M6354 TomYoung 2025-09-30T15:32:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239679#M6381 <P>After several hours of debugging, I finally found the root cause of this problem.</P> <P><BR />DNSSEC validation is enabled by default on a BIND DNS server (dnssec-validation auto).</P> <P>&nbsp;</P> <P>In our case, the DNS server is configured as a resolver, so every DNS request will query the root DNS server for the corresponding top-level DNS servers etc. All these requests are intercepted by Palo's sinkhole feature. Therefore, DNSSEC validation fails and does not return an answer.</P> <P>&nbsp;</P> <P>To mitigate this problem, there are several options:</P> <P>1.) Disable DNSSEC validation on the Bind server.<BR />2.) Instead of using the resolver, configure your DNS server to forward to an external DNS server (e.g. Google).<BR />3.) Disable the sinkhole feature on all root and top-level DNS servers, because DNSSEC is primarily used at this level and is not very popular in user domains.</P> <P>&nbsp;</P> <P>I used option 3 and generated an IP list of all root and top-level DNS <SPAN>servers (<A href="https://www.internic.net/domain/root.zone" target="_blank">internic.net/domain/root.zone</A>) using PowerShell. This list was configured as an EDL in a firewall rule as the destination with the DNS security feature disabled.</SPAN></P> Fri, 10 Oct 2025 16:53:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239679#M6381 HeinzP 2025-10-10T16:53:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239930#M6391 <P>Outstanding research!</P> Mon, 13 Oct 2025 17:21:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dns-sinkhole-injection/m-p/1239930#M6391 TomYoung 2025-10-13T17:21:35Z