To enable DNS Sinkholing for a custom list
of domains, you must create an
External
Dynamic List that includes the domains, enable the sinkhole
action in an Anti-Spyware profile and attach the profile to a security
policy rule. When a client attempts to access a malicious domain
in the list, the firewall forges the destination IP address in the
packet to the default Palo Alto Networks server or to a user-defined
IP address for sinkholing.
For each custom domain included
in the external dynamic list, the firewall generates DNS-based spyware
signatures. The signature is named Custom Malicious DNS Query <domain
name>, and is of type spyware with medium severity; each signature
is a 24-byte hash of the domain name.
Each firewall model
supports a maximum of 50,000 domain names total in one or more external
dynamic lists but no maximum limit is enforced for any one list.