By default, sinkholing is enabled for all
Palo Alto Networks DNS signatures, and the sinkhole IP address is
set to access a Palo Alto Networks server. Use the instructions in
this section if you want to set the sinkhole IP address to a local
server on your network.
You must obtain both an IPv4 and IPv6
address to use as the sinkhole IP addresses because malicious software
may perform DNS queries using one or both of these protocols. The
DNS sinkhole address must be in a different zone than the client
hosts to ensure that when an infected host attempts to start a session
with the sinkhole IP address, it will be routed through the firewall.
The sinkhole addresses must be reserved
for this purpose and do not need to be assigned to a physical host.
You can optionally use a honey-pot server as a physical host to
further analyze the malicious traffic.
The configuration steps
that follow use the following example DNS sinkhole addresses:
IPv4
DNS sinkhole address—10.15.0.20
IPv6 DNS sinkhole address—fd97:3dec:4d27:e37c:5:5:5:5