topic Can you have multiple DNS Sink in General Topics

Can you have multiple DNS Sink

AdamCoombs — Tue, 15 Nov 2016 22:18:59 GMT

I have a question about DNS sink hole in the corporate enivorment.

If you have multiple DNS servers and multiple Palo Altos firewalls.

Can you configure palo alto firewalls to work with all the dns servers?

Do you have to setup each firewall with different sink hole zones or same zone?

The OS is 7.1

Any help with would be great on this

Re: Can you have multiple DNS Sink

OtakarKlier — Tue, 15 Nov 2016 23:45:34 GMT

Hello,

A DNS sinkhole is 'fake' IP so make sure you are not using it, the example shows 1.1.1.1. The zone doesnt really matter ,what matters is that your traiffic policy has the Anti-Spyware settings. It will need to be setup on each cluster or standable PAN's you have.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891

Hope this helps.

Re: Can you have multiple DNS Sink

AdamCoombs — Wed, 16 Nov 2016 20:03:04 GMT

I have read this information, but just wanting to verify that if I have two different palo altos devices that can route between each other that will not cause a issue.

So here is a example I want to make sure will work

Palo Alto A sinkhole ip address 2.2.2.2 DNS server 10.0.0.1, 10.0.0.2

Palo Alto B sinkhole ip address 3.3.3.3 DNS server 10.10.0.1, 10.10.0.2

Palo Alto A will block bad dns requested from 10.0.0.1, 10.0.0.2 and 10.10.0.1, 10.10.0.2

Same thing on Palo Alto B

When I look at logs in threats area I see sinkhole on both palo alto's

Re: Can you have multiple DNS Sink

santonic — Thu, 17 Nov 2016 09:47:46 GMT

DNS sinkhole on PA simply checks every DNS request going through rule with specific anti-spyware profile (doesn't matter from which server, PC or whatever device) and replaces DNS response with fake IP in cases where domain is recognised as suspicious or malware.

Yes, on different FWs you can have different IPs as sinkhole. In fact you can also have different IPs as sinkhole in diferent anti-spyware profiles on same device. Though I don't really see a benefit of different IPs as sinkhole.

Re: Can you have multiple DNS Sink

santonic — Thu, 17 Nov 2016 09:53:32 GMT

If you already had suspicious DNS queries on block you can't cause any issue with changing to sinkhole. If you had them on alert or allow till now you will now disrupt these queries (with fake IP) and i guess you risk false positives. But so far I haven't seen a false positive with suspicious DNS queries yet.

Re: Can you have multiple DNS Sink

AdamCoombs — Thu, 17 Nov 2016 14:45:57 GMT

That is what I thought too santonic, I need to check with someone.

I did not know you could set different Fake IP address on different DNS sink profiles nice