Tuesday, May 17, 2016

Enabling DNS Sinkhole on a Palo Alto Networks Firewall

Have you ever looked at your threat logs and seen tons of spyware hits from your DNS servers? For example in this case where is my internal DNS server.
My DNS server can't possibly be compromised (I hope), why is this? When you step back and think, it makes perfect sense. My firewall doesn't see the original request that a client makes, because it goes to my local DNS server which sits below the firewall. So when the DNS server recurses out to the internet, the firewall catches the bad domain but the problem is it can only pick up on the fact that the request has come from the DNS server.

There has to be a better way! Not to worry, as usual the boys from Palo Alto, CA have the answer. They call it "DNS Sinkhole." In essence you trick the compromised host into resolving a bad domain to an IP north of the firewall. Now when the compromised host attempts to reach the bad domain, the firewall is able to capture the actual source. Think of a classic 80's detective TV show in which the good guys trick the crook into walking right into their dragnet.

So how does it work on a technical level? The DNS Sinkhole feature is a part of an Anti-spyware profile. When enabled, if the firewall sees a DNS request come through for a domain which matches a malicious signature, the firewall intercepts and responds to the request. Remember that this request may have come from an internal DNS server, but this does not matter because the DNS server will treat the response from the firewall as if it were a normal response from a root server and pass back to the requesting host.

Without this feature enabled, the firewall would simply drop the packets and the request would timeout (provided you have an anti-spyware profile configured this way). When using DNS Sinkhole, the host receives a valid response, forged by the firewall. You will be asked to provide an address to use as the A record for such requests. Now this is important, this address must route through the firewall. That is to say, the address you choose to use, must live north of the firewall, such that when the compromised host tries to get to the address, that traffic traverses the firewall. Of course you also want to pick an address which is not already in use.

To configure DNS Sinkhole, go to your Anti-spyware profile. Pro tip: you will not be able to change any settings in the "default" and "strict" profiles provided by Palo Alto Networks; you must either clone them or create a new one. From there go to the DNS Signatures tab. Change the Action to sinkhole and provide a v4 and v6 address to use as the sinkhole. Optionally you may enable packet captures on sinkhole hits. Passive DNS Monitoring anonymously sends DNS information to Palo Alto Networks for threat research. Don't forget to use this profile in your security policies!
Now that we have made our change and committed, we can go look at the threat log again.
Notice that the action has changed from drop-all-packets to sinkhole. This tells us we can find the actual source address in the traffic log. All we have to do now is search in the traffic log for the sinkhole address we configured earlier. You could also spice things up by putting in a deny rule on this destination.
We can now see that the compromised host on my network is actually Release the dogs!


  1. I am very thankful to you for sharing such a helpful post about network security. I really need this type of knowledge. Thanks for posting it. Keep it up. Network Security Houston.

  2. It's a basic substance that you have shared here. It is truly enchanting and connecting with an article, Thankful to you for sharing an article in this manner. It Support Houston

  3. This is important information which is shared by you. This info is meaningful and important for everyone to increase our knowledge about it. Always keep sharing this kind of information. Thank you. West Midlands Security Services

  4. Thanks for publishing such great information. You are doing such a great job. This information is very helpful for everyone. Keep it up. Thanks.Burglar alarm installation Worcester park

  5. It's very nice of you to share your knowledge through posts. I love to read stories about your experiences. They're very useful and interesting. I am excited to read the next posts. I'm so grateful for all that you've done. Keep plugging. Many viewers like me fancy your writing. Thank you for sharing precious information with us. Best computer network security jacksonville fl service provider.

  6. This comment has been removed by the author.

  7. Absolutely informative blog. Thank you for sharing this . For individuals, small business, or enterprises, it is essential to learn about cyber security in order to prevent potential threats and secure their information. As a cyber security company and ISO consultants in Pune, India, I found this information valuable. Glad to read this, great blog.

  8. This blog is really helpful to deliver updated affairs over internet which is really appraisable. Cyber Security Brisbane

  9. I found one successful example of this truth through this blog. I am going to use such information now. Business IT Support