DNS sinkholing helps you to identify infected hosts on the protected
network using DNS traffic in situations where the firewall cannot
see the infected client's DNS query (that is, the firewall cannot
see the originator of the DNS query). In a typical deployment where
the firewall is north of the local DNS server, the threat log will identify
the local DNS resolver as the source of the traffic rather than
the actual infected host. Sinkholing malware DNS queries solves
this visibility problem by forging responses to the client host
queries directed at malicious domains, so that clients attempting
to connect to malicious domains (for command-and-control, for example) will
instead attempt to connect to a default Palo Alto Networks sinkhole
IP address (or to IP address that you define if you choose to
Configure
DNS Sinkholing for a List of Custom Domains). Infected hosts
can then be easily identified in the traffic logs.