Introduction: DNS Sinkhole Purpose

Objective

This document explains how to configure and utilize the DNS Sinkhole feature on Palo Alto Networks firewalls.

A primary use case arises when an internal DNS server handles queries for internal hosts. If an infected host queries a malicious domain, the query reaching the firewall originates from the internal DNS server, not the actual infected host. This makes identifying the compromised machine difficult solely from the firewall's Threat logs, as they would list the DNS server's IP as the source.

The DNS Sinkhole feature provides a mechanism to overcome this challenge and identify the original source of malicious DNS queries within the network.

diagram_1_May_20_2025_10-34AM — Problem: Firewall Threat log shows Internal DNS server as source, not the original client.

Configuration Overview & Important Notes

Overview

The DNS Sinkhole feature allows the Palo Alto Networks firewall to intercept a DNS query for a known malicious domain (identified via Threat Prevention signatures, DNS Security verdicts, or custom EDLs) and forge a response.

Instead of returning the actual malicious IP address, the firewall sends back either:

A CNAME record pointing to sinkhole.paloaltonetworks.com .
A specific IP address (A or AAAA record) configured by the administrator (the "Sinkhole IP").

The core idea is that malware, after resolving the domain, will attempt to initiate subsequent network traffic (TCP, UDP, etc.) to the resolved address. By directing this traffic to a controlled Sinkhole IP, the firewall can log these connection attempts in its Traffic logs , thereby revealing the original source IP address of the infected host.

Important Notes

Choosing a Sinkhole IP:

If configuring a custom Sinkhole IP address (A/AAAA record), ensure it's a fictitious RFC1918 IP address (e.g., within 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that is not actually in use anywhere in your network. Using a loopback interface address on the firewall itself is a common practice. Exception: You might use a real, secured internal IP if you intend to serve custom block pages or perform threat research on the redirected traffic.
Using the Default CNAME ( sinkhole.paloaltonetworks.com ):

Using the default CNAME requires an internal DNS server positioned between the client hosts and the firewall. This internal DNS server MUST support and have DNS recursion enabled . The client queries the internal DNS, the firewall injects the CNAME, the internal DNS server receives the CNAME and *must* recursively resolve sinkhole.paloaltonetworks.com to get an actual IP address (provided by Palo Alto Networks' infrastructure) to return to the client.

If your internal DNS server does not support recursion, or if clients query the firewall directly without an intermediary recursive DNS server, the CNAME sinkhole method will likely fail. The client will receive the CNAME but won't resolve it further, and no traffic will be directed to the sinkhole IP. In such cases, you must configure a specific Sinkhole IP address (A/AAAA record) instead of using the CNAME.
External DNS Servers:

If clients use an external DNS server directly (e.g., 8.8.8.8), the firewall can still detect the malicious query via signatures/DNS Security and apply an action. However, the Sinkhole action primarily helps by preventing the client from receiving the *actual* malicious IP. The firewall's Threat log will correctly identify the original client source IP in this case. Injecting a Sinkhole IP/CNAME offers less identification benefit here (as the source IP is already known) but still prevents connection to the real malicious destination. Traffic logs to the sinkhole IP might not be generated if the external resolver doesn't forward the CNAME resolution attempt back through the firewall or if the client doesn't act on the sinkholed A/AAAA record received directly.

     Understand the difference between using the CNAME vs. a custom Sinkhole IP. Know the prerequisites for the CNAME method (internal recursive DNS server) and the implications if those prerequisites aren't met (use a custom IP). Recognize that sinkholing's primary goal is *infected host identification* via Traffic Logs when an internal DNS server obscures the original source in Threat Logs.
    

Configuration Steps

Follow these steps to configure DNS Sinkholing:

Ensure Latest Content Updates

Verify that the firewall has the latest Antivirus content updates (for signature-based detection) and, if licensed, WildFire updates. DNS Security relies on cloud connectivity.

Navigate to Device > Dynamic Updates . Click "Check Now" . Ensure Antivirus and WildFire versions are current. Schedule regular checks (e.g., Antivirus hourly, WildFire every minute or Real-time for PAN-OS 10.0+).

Ensure Antivirus and WildFire content is up-to-date in Device > Dynamic Updates.

DNS Sinkhole functionality requires either an active Threat Prevention license (for Anti-Spyware signatures) or a DNS Security license (for cloud verdicts and advanced categories). Sinkholing based on an EDL of type Domain does not require a license. Custom Anti-Spyware DNS signatures cannot trigger the sinkhole action.
Configure the Sinkhole Action in a Security Profile

Navigate to Objects > Security Profiles > Anti-Spyware . You can edit an existing profile or create a new one. Select the profile you intend to use.

Within the profile, go to the DNS Policies tab.

Accessing DNS Policies within the Anti-Spyware profile.

Here you can configure the sinkhole action for various threat types:
- Palo Alto Networks Content DNS Signatures: Select the rule(s) covering malicious signatures (e.g., the default rules) and change the Action to sinkhole .
- DNS Security Categories (Requires DNS Security License): Apply the sinkhole action to relevant categories like Malware, Command and Control, DGA, etc.
- External Dynamic Lists (EDL): If using a Domain EDL for sinkholing, apply the sinkhole action here.
In the Sinkhole IPv4 field:
- Leave the default sinkhole.paloaltonetworks.com to use the CNAME method (requires internal recursive DNS).
- Select an existing address object or type in a specific, unused RFC1918 address (e.g., 192.168.254.254 ) to use a custom Sinkhole IP.
In the Sinkhole IPv6 field:
- Enter a specific IPv6 sinkhole address if needed. If left blank and IPv6 sinkholing is triggered, the default ::1 address is often used.
Remember to apply this Anti-Spyware (or DNS Security) profile to the Security Policy rule(s) that allow outbound DNS traffic from your network.
(Conditional) Configure Security Policy for Sinkhole Traffic Logging

This step is primarily needed if you are using the default CNAME sinkhole.paloaltonetworks.com OR if you want very specific logging/control for traffic going to your custom Sinkhole IP .

If using the CNAME:

Since the IP address for sinkhole.paloaltonetworks.com rotates, you cannot easily filter Traffic logs by a single destination IP. To reliably identify infected hosts, create a specific Security Policy rule:
1. Create an Address Object of type FQDN for sinkhole.paloaltonetworks.com ( Objects > Addresses ).
2. Create a new Security Policy rule ( Policies > Security ). Place this rule *before* any general outbound rules that might match the sinkhole traffic.
3. Set the rule details:
  - Name: e.g., "Sinkhole Traffic Log/Deny"
  - Source Zone(s): Your internal zones (e.g., Trust)
  - Source Address: Any
  - Destination Zone: Zone where the sinkhole FQDN resolves (usually External/Untrust)
  - Destination Address: Select the FQDN object created above.
  - Application: Any (or http, https if you expect specific protocols)
  - Service: application-default
  - Action: Deny (Recommended, as Palo Alto Networks doesn't use received sinkhole packets for telemetry) or Allow if needed for specific reasons. Ensure logging is enabled.
4. Now, to find infected hosts, filter the Traffic logs for hits on this specific "Sinkhole Traffic Log/Deny" rule name.
Remember, the CNAME method relies on your internal recursive DNS server successfully resolving the CNAME to an IP. If that fails, clients won't initiate traffic matching this rule.

If using a Custom Sinkhole IP:

You can create a similar Security Policy rule targeting your custom Sinkhole IP as the Destination Address. Alternatively, you can simply filter the Traffic logs directly for Destination Address = [Your Custom Sinkhole IP]. Creating a dedicated rule offers cleaner reporting.
Commit Changes

Commit the configuration changes to the firewall.

Log Analysis & Infected Host Identification

Distinguishing Logs

It's critical to understand which logs provide which pieces of information when dealing with DNS Sinkholing:

Threat Logs (Monitor > Logs > Threat): These logs record the initial detection of the malicious DNS query. The Source IP address listed here will be the device that sent the query *to the firewall*.
- If clients query the firewall directly or use an external DNS, this log shows the actual infected client IP.
- If clients use an internal DNS server, this log will show the internal DNS server's IP as the source, *not* the original infected client.
Traffic Logs (Monitor > Logs > Traffic): These logs record actual network sessions (TCP, UDP connections). When DNS Sinkholing is working correctly:
- The infected client receives the fake Sinkhole IP address.
- The client attempts to connect to this Sinkhole IP.
- The firewall logs this connection attempt in the Traffic logs.
- The Source IP in this Traffic log entry IS the actual infected client's IP address .
- The Destination IP will be your configured Sinkhole IP (or an IP resolved from the Sinkhole CNAME).

     To identify infected hosts when using DNS Sinkhole (especially with an internal DNS server), you MUST primarily analyze the
     
      Traffic Logs
     
     , filtering for traffic destined for your Sinkhole IP or matching your dedicated Sinkhole Security Policy rule. Relying only on Threat Logs will mislead you if an internal DNS server is involved.

Finding Infected Hosts

Navigate to Monitor > Logs > Traffic .
Apply a filter:
- If using a Custom Sinkhole IP : Add filter `(addr.dst in [Your Sinkhole IP])`.
- If using the Sinkhole CNAME and created a dedicated rule: Add filter `(rule eq 'NameOfYourSinkholeRule')`. Example: `(rule eq 'Sinkhole Traffic Log/Deny')`.
Examine the log entries matching the filter. The Source IP column will show the IP addresses of the potentially compromised hosts on your network that attempted to contact the sinkhole.

Traffic Log filtered by Sinkhole rule name showing source IPs. — Filtering Traffic Logs to find source IPs connecting to the sinkhole target.

Conceptual Diagrams

DNS Sinkhole Process Flow (with Internal DNS)

Sequence diagram illustrating the DNS Sinkhole process when an internal DNS server is present.

Simplified Decision Flowchart

Simplified flowchart showing the DNS Sinkhole decision process.

PCNSE Exam Focus Points

Key takeaways for the PCNSE exam regarding DNS Sinkholing:

Primary Goal: Understand that DNS Sinkhole's main purpose is infected host identification , especially when internal DNS servers obscure the original source IP in Threat logs.
Mechanism: Know that it works by intercepting malicious DNS queries (standard DNS, port 53) and returning a forged response pointing to a controlled Sinkhole IP or CNAME.
Configuration Location: Remember that Sinkhole actions are configured within Security Profiles (Anti-Spyware or DNS Security).
Trigger Conditions: Sinkholing is triggered by matches against Palo Alto Networks content signatures, DNS Security verdicts, or specific Domain EDLs within the applied profile. (Custom DNS signatures are not supported).
License Requirements: Know that Threat Prevention or DNS Security license is generally required, except for sinkholing based on Domain EDLs.
CNAME vs. Custom IP: Understand the difference.
- CNAME ( sinkhole.paloaltonetworks.com ) requires an internal, recursive DNS server between client and firewall. Identification requires a dedicated Security Policy rule matching the FQDN.
- Custom IP is necessary if no internal recursive DNS exists or if simpler Traffic Log filtering by IP is preferred. The chosen IP must be unused RFC1918.
Identification Log: CRITICAL POINT: Infected hosts are identified by analyzing the Traffic Logs for connections where the Destination Address is the Sinkhole IP (or matches the Sinkhole FQDN rule). Do NOT rely solely on Threat logs for identification when an internal DNS server is present.
Policy Application: The Security Profile containing the sinkhole configuration must be applied to a Security Policy rule that allows the relevant outbound DNS traffic.

     Be prepared for scenario questions where you need to determine *why* sinkholing is needed, *how* to configure it (CNAME vs IP based on the environment), and *which log* to check to find the compromised host. The distinction between Threat Logs and Traffic Logs for identification is a common point of confusion and testing.
    

DNS Sinkhole Knowledge Check

Test your understanding of the DNS Sinkhole feature.

1. What is the primary objective of configuring DNS Sinkholing on a Palo Alto Networks firewall?

To block all malicious DNS queries at the firewall. To identify internal clients infected with malware attempting C2 communication. To act as a primary recursive DNS server for the network. To accelerate DNS resolution by caching malicious domains.

2. In which type of log are you most likely to find the original IP address of an infected client identified through DNS Sinkholing?

Threat Log System Log Traffic Log URL Filtering Log

3. Where are the DNS Sinkhole IP address or CNAME settings configured?

In the Security Policy rule action. Under Device > Setup > Services. In a URL Filtering profile. In an Anti-Spyware or DNS Security profile.

4. What is a critical requirement if you choose to use the default CNAME `sinkhole.paloaltonetworks.com` for DNS Sinkholing?

An internal DNS server with recursion enabled must be used by clients. Clients must be configured to use the firewall directly as their DNS server. An active WildFire license must be present on the firewall. SSL Decryption must be enabled for DNS traffic.

5. When filtering Traffic Logs to identify hosts hitting a CNAME-based sinkhole, what is the recommended filter method?

Filter by Destination IP = 74.82.42.42 (Palo Alto Networks Sinkhole IP). Filter by Threat ID corresponding to the DNS signature. Filter by the name of the dedicated Security Policy rule matching the Sinkhole FQDN. Filter by Application = dns-sinkhole.

6. Which license is generally required to enable DNS Sinkholing based on Palo Alto Networks' Anti-Spyware DNS signatures?

WildFire Threat Prevention URL Filtering GlobalProtect

7. If you configure a custom Sinkhole IP address (e.g., 192.168.254.254), what should you filter for in the Traffic Logs to find infected clients?

Destination IP Address = 192.168.254.254 Source IP Address = 192.168.254.254 Application = dns Action = sinkhole

8. Why might a firewall administrator choose to configure a custom Sinkhole IP instead of using the default CNAME?

The firewall does not have internet connectivity. They want to use Palo Alto Networks' telemetry features. Custom IP addresses provide stronger encryption. The internal DNS server does not support recursion, or clients query the firewall directly.

9. The Security Profile containing the DNS Sinkhole configuration must be applied to which type of Security Policy rule?

A rule allowing traffic TO the Sinkhole IP address. A rule allowing the outbound DNS query traffic that needs inspection. A rule blocking all inbound traffic. A rule specifically for the Application 'dns-sinkhole'.

10. What is a recommended characteristic of a custom Sinkhole IP address?

It should be a publicly routable IP address. It should be the IP address of the primary domain controller. It should be an unused RFC1918 address within the network. It should resolve to `sinkhole.paloaltonetworks.com`.

11. If an internal DNS server is used by clients, and the firewall detects a malicious DNS query from that server, what information is initially logged in the firewall's Threat Log entry for the Source IP?

The IP address of the internal DNS server. The IP address of the original infected client. The configured Sinkhole IP address. The IP address of the external malicious server.

12. Can DNS Sinkholing be triggered by custom Anti-Spyware DNS signatures created by an administrator?

Yes, always. Yes, but only if a DNS Security license is active. Only if the custom signature severity is set to Critical. No, the sinkhole action is not supported for custom DNS signatures.

13. What type of DNS record does the firewall inject when using the default `sinkhole.paloaltonetworks.com` setting?

A (Address) CNAME (Canonical Name) TXT (Text) MX (Mail Exchanger)

14. What firewall action is recommended for the dedicated Security Policy rule used to match traffic going *to* the sinkhole target (FQDN or IP)?

Deny Allow Reset Client Sinkhole

15. Which dynamic update content is most directly related to providing the signatures used for triggering DNS Sinkholing in the Anti-Spyware profile?

WildFire Update Applications and Threats Update Antivirus Update GlobalProtect Data File

16. If clients use an external DNS server (e.g., 8.8.8.8) directly, where will the firewall log the original infected client's IP when a malicious DNS query is detected by an Anti-Spyware signature?

Traffic Log only. Threat Log. System Log. It cannot be logged in this scenario.

17. To implement DNS Sinkholing using a Domain-based External Dynamic List (EDL), which license is required?

Threat Prevention DNS Security WildFire No specific license is required for EDL-based Sinkholing.

18. The forged DNS response created by the sinkhole action directs the client to attempt communication with:

The configured Sinkhole IP or the IP resolved from the Sinkhole CNAME. The original malicious C2 server IP address. The firewall's management interface IP address automatically. A Palo Alto Networks cloud analysis server.

19. Why is it important that a custom Sinkhole IP address is *fictitious* and *unused*?

To ensure the firewall can route traffic to it efficiently. To allow Palo Alto Networks to collect statistics from it. To prevent conflicts with legitimate devices and avoid sending potentially malicious traffic to a real host. To make log filtering easier using a well-known address.

20. After configuring DNS Sinkholing and applying the profile, what is the final step mentioned in the procedure to make the changes active?

Reboot the firewall. Commit the configuration. Update the Antivirus content again. Clear the internal DNS server cache.