topic DNS sinkhole in General Topics

DNS sinkhole

valizada — Thu, 06 Mar 2025 09:12:06 GMT

Hello everybody,

How many policy we need for block and review source of infected hosts?

One or two?

Internal dns is using but we can not see source of users.

Re: DNS sinkhole

Raido_Rattameister — Thu, 06 Mar 2025 14:01:33 GMT

Enable DNS Security in Anti-Spyware profile.

Attach Anti-Spyware to all policies that apply for traffic where you need to identify infected hosts (ideally all).

Re: DNS sinkhole

TomYoung — Thu, 06 Mar 2025 14:20:39 GMT

Hi @valizada ,

Only one security policy rule is needed to identify infected hosts. Please see #3 in this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0.

For those not familiar with this practice, most outbound DNS requests will come from the company's internal DNS server. To identify the infected hosts, you can create a security policy rule to match traffic to the sinkhole FQDN. The traffic that matches this rule will have the source IP addresses of the hosts that initially requested the suspect domain. The Day 1 Configuration includes an example rule. The BPA also recommends this rule.

Thanks,

Tom

Re: DNS sinkhole

Raido_Rattameister — Thu, 06 Mar 2025 14:56:33 GMT

For DNS Sinkhole to work it is enough to have it configured only on 1 rule - domain controller to Internet.

But in this case also make sure that all devices actually have domain controller set as DNS server.

Not having Anti-Spyware configured for all outgoing policies you will loose DNS Security protection for devices that connect to Internet hosted DNS servers.

Best would be to also use DNS Proxy to make sure infected internal device is not trying to bypass URL categorization by having hardcoded IPs.