09-25-2025 11:09 PM
The DNS sinkhole option works perfectly well with a Microsoft DNS environment. Unfortunately, it fails if you try to perform DNS-sinkhole injection in front of a BIND DNS server running on Red Hat Linux. Requests to malicious domains simply time out:
Test-Domain from PaloAlto (works fine):
nslookup -query=cname test-c2.testpanw.com
test-c2.testpanw.com canonical name = sinkhole.paloaltonetworks.com
Malicious-Domain (should display the sinkhole cname instead of a timeout):
nslookup -query=cname apleona.co
DNS request timed out
Has anyone else experienced anything similar?
10-08-2025 10:14 AM - edited 10-10-2025 09:53 AM
After several hours of debugging, I finally found the root cause of this problem.
DNSSEC validation is enabled by default on a BIND DNS server (dnssec-validation auto).
In our case, the DNS server is configured as a resolver, so every DNS request will query the root DNS server for the corresponding top-level DNS servers etc. All these requests are intercepted by Palo's sinkhole feature. Therefore, DNSSEC validation fails and does not return an answer.
To mitigate this problem, there are several options:
1.) Disable DNSSEC validation on the Bind server.
2.) Instead of using the resolver, configure your DNS server to forward to an external DNS server (e.g. Google).
3.) Disable the sinkhole feature on all root and top-level DNS servers, because DNSSEC is primarily used at this level and is not very popular in user domains.
I used option 3 and generated an IP list of all root and top-level DNS servers (internic.net/domain/root.zone) using PowerShell. This list was configured as an EDL in a firewall rule as the destination with the DNS security feature disabled.
09-30-2025 08:32 AM
Hi @HeinzP ,
Here is a related discussion. https://www.reddit.com/r/dns/comments/p6g2lq/cant_resolve_some_sites_using_our_internal/
That person also had the same issue. Unless someone else posts the solution, you will need to open a TAC case. At least my response will put this thread on the top of the queue so others may see it. 😊
Thanks,
Tom
10-08-2025 10:14 AM - edited 10-10-2025 09:53 AM
After several hours of debugging, I finally found the root cause of this problem.
DNSSEC validation is enabled by default on a BIND DNS server (dnssec-validation auto).
In our case, the DNS server is configured as a resolver, so every DNS request will query the root DNS server for the corresponding top-level DNS servers etc. All these requests are intercepted by Palo's sinkhole feature. Therefore, DNSSEC validation fails and does not return an answer.
To mitigate this problem, there are several options:
1.) Disable DNSSEC validation on the Bind server.
2.) Instead of using the resolver, configure your DNS server to forward to an external DNS server (e.g. Google).
3.) Disable the sinkhole feature on all root and top-level DNS servers, because DNSSEC is primarily used at this level and is not very popular in user domains.
I used option 3 and generated an IP list of all root and top-level DNS servers (internic.net/domain/root.zone) using PowerShell. This list was configured as an EDL in a firewall rule as the destination with the DNS security feature disabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
