DNS Configuration in Palo Alto Firewall
The DNS Sinkhole concept allows the Palo Alto firewall to falsify DNS response to a DNS query for a suspicious domain and cause the suspicious/infected domain name to resolve to a defined IP address (Sinkhole IP) that give response on behalf of destination IP address. The assumption is that if source 10.1.1.1 initiate traffic to destination 220.127.116.11 with infected URL (malicious.com), firewall redirect infected traffic to DNS Sinkhole IP address (10.11.12.13) and stops suspicious traffic towards next-hop immediately.
How to configure DNS Sinkhole in Palo Alto Firewall
To configure DNS Sinkhole feature in firewall below pre-requisites needs to be followed
- DNS Sinkhole IP address must be UNIQUE and does not exist anywhere inside network.
- Anti-virus and Wildfire must be updated as malicious traffic is scanned according to latest anti-virus signature patterns which increases the success rate to infected links and avoid false positive case.
- Create Firewall policy with “Deny” action
- Policy must have logging enabled as to verify session hits to DNS Sinkhole IP address
Summary of DNS-Sinkhole configuration
- The malicious DNS request is captured by firewall,
- Firewall block the connection and send back reply to user with fake (DNS-Sinkhole IP) in DNS request.
- User gets the DNS Sinkhole fake IP address in DNS response.
- User traffic is redirected to DNS-Sinkhole IP address which is blocked by firewall policy and user gets request-time-out OR webpage is not working prompt on the screen.
How to verify DNS sinkhole
Once any suspicious request captured in firewall log, a threat alert is generated .
So here, we have suspicious URL www.suspicious-site-hacker.com which is a known malicious site.
Access to site will not work as it redirects to sinkhole Fake IP address.
Source Address ->10.1.1.1 (user machine’s IP address )
Destination Address -> www.suspicious-site-hacker.com
DNS-Sinkhole IP address -> 10.11.12.13
I hope description of DNS Sinkhole configuration and verification helps you to understand this awesome Palo Alto Firewall feature.