6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use

Information

Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.

Rationale:

DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the 'ip reputation' of the organization's internet network subnets.

Solution

Navigate to Objects > Security Profiles > Anti-Spyware.
Within the each anti-spyware profile, under its DNS Signatures tab, set the DNS Signature Source List:
Palo Alto Networks Content DNS Signatures should have as its Action on DNS Queries set to sinkhole
If licensed, the Palo Alto Networks Cloud DNS Security should have as its Action on DNS Queries set to sinkhole
Verify the 'Sinkhole IPv4' IP address is correct. This should be set to sinkhole.paloaltnetworks.com, or if an internal host is set then that host IP or FQDN should be in that field
Verify the 'Sinkhole IPv6' IP address is correct. This should be set to IPv6 Loopback IP (::1), or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field
Navigate to Policies > Security Policies
For each outbound security Policy, in the Actions tab, set the Anti-Spyware setting to include the Spyware Profile created, either explicitly or as a Group Profile

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/files/3750