11-15-2016 02:07 PM - edited 11-15-2016 02:18 PM
I have a question about DNS sink hole in the corporate enivorment.
If you have multiple DNS servers and multiple Palo Altos firewalls.
Can you configure palo alto firewalls to work with all the dns servers?
Do you have to setup each firewall with different sink hole zones or same zone?
The OS is 7.1
Any help with would be great on this
11-17-2016 01:47 AM
DNS sinkhole on PA simply checks every DNS request going through rule with specific anti-spyware profile (doesn't matter from which server, PC or whatever device) and replaces DNS response with fake IP in cases where domain is recognised as suspicious or malware.
Yes, on different FWs you can have different IPs as sinkhole. In fact you can also have different IPs as sinkhole in diferent anti-spyware profiles on same device. Though I don't really see a benefit of different IPs as sinkhole.
11-17-2016 01:53 AM
If you already had suspicious DNS queries on block you can't cause any issue with changing to sinkhole. If you had them on alert or allow till now you will now disrupt these queries (with fake IP) and i guess you risk false positives. But so far I haven't seen a false positive with suspicious DNS queries yet.
11-15-2016 03:45 PM
Hello,
A DNS sinkhole is 'fake' IP so make sure you are not using it, the example shows 1.1.1.1. The zone doesnt really matter ,what matters is that your traiffic policy has the Anti-Spyware settings. It will need to be setup on each cluster or standable PAN's you have.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891
Hope this helps.
11-16-2016 12:03 PM
I have read this information, but just wanting to verify that if I have two different palo altos devices that can route between each other that will not cause a issue.
So here is a example I want to make sure will work
Palo Alto A sinkhole ip address 2.2.2.2 DNS server 10.0.0.1, 10.0.0.2
Palo Alto B sinkhole ip address 3.3.3.3 DNS server 10.10.0.1, 10.10.0.2
Palo Alto A will block bad dns requested from 10.0.0.1, 10.0.0.2 and 10.10.0.1, 10.10.0.2
Same thing on Palo Alto B
When I look at logs in threats area I see sinkhole on both palo alto's
11-17-2016 01:47 AM
DNS sinkhole on PA simply checks every DNS request going through rule with specific anti-spyware profile (doesn't matter from which server, PC or whatever device) and replaces DNS response with fake IP in cases where domain is recognised as suspicious or malware.
Yes, on different FWs you can have different IPs as sinkhole. In fact you can also have different IPs as sinkhole in diferent anti-spyware profiles on same device. Though I don't really see a benefit of different IPs as sinkhole.
11-17-2016 01:53 AM
If you already had suspicious DNS queries on block you can't cause any issue with changing to sinkhole. If you had them on alert or allow till now you will now disrupt these queries (with fake IP) and i guess you risk false positives. But so far I haven't seen a false positive with suspicious DNS queries yet.
11-17-2016 06:45 AM
That is what I thought too santonic, I need to check with someone.
I did not know you could set different Fake IP address on different DNS sink profiles nice
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
