DNS Sinkhole not triggering for known malicious domains

Showing results for 
Search instead for 
Did you mean: 

DNS Sinkhole not triggering for known malicious domains

L2 Linker

Hello, has anyone had any problems with DNS sinkhole not triggering on PAN-OS 6.1.4 ?


I have created a security policy for DNS traffic between a LAN side DNS server and a WAN side upstream DNS server, the Palo sits at the WAN edge between the two DNS servers.   Attached to this security policy is an Anti-spyware security policy with DNS action alert.  This works as expected, alerting every time a query for a known malicious domain is seen, so no problem seeing the traffic albeit with the LAN side DNS server as the source IP address.


So with a duplicate (higher) security rule and spyware policy now set to sinkhole, the traffic is seen as "DNS" by this new rule but does not trigger the treat and so does not receive the sinkhole IP address I have set.


Any help would be greatly appreciated.



L5 Sessionator

Check out this doc it will surely help if the dns sinkhole is configured properly.



L5 Sessionator

Make sure that the antivirus update are consecutive. Highest and second highest

L6 Presenter

So you've got an Anti-Spyware policy set up like this:





With no logs in threat that look like this?





Do you have any "Traffic" logs of hosts going to your sinkhole IP?

Thanks for the response, for further info as of today we are running AV 1797-2276 and I have performed further tests.


My sinkhole spyware profile is configured like this:



I then attempt to lookup a known malicious domain.  In the traffic logs I can see that my test traffic hits the correct security rule that should apply the dns sinkhole IP address.  However it does not sinkhole the traffic and does not trigger a threat log for spyware domain.




Using packet capture I can see that my query contains the known malicious domain as below:dns2.JPG


Does anyone have any further thoughts that may help please?  


If you will check the url cateogry as malicious then it will/may not trigger the sinkhole. Check the link that I have sent you follow it once just for testing.



download and install antivirus 1797-2276 and do the dns lookup for "d1e9me*d3jmum*com" replace * with .

Not sure how the client is trying to connect to the sinkhole IP addres if it's receiving an error code in the DNS response instead of the sinkhole IP address (unless the packet capture is missing something). By any chance is the client using an internal DNS server?


From RFC 1035 (DNS) the response "no such name"

                3               Name Error - Meaningful only for
                                responses from an authoritative name
                                server, this code signifies that the
                                domain name referenced in the query does
                                not exist.


Yeah, check who is sending those 'no such name' responses. That can't be PA. 

Hello,  it is the remote DNS server sending the "no such name" response.  However what I was expecting is that for the reason the lookup contains a known malware domain it would trigger the PA to respond with the Sinkhole IP instead.  Instead its not seen as Malware so does not trigger the sinkhole.    I'm going to be spending some time next week looking at this again and will update.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!