6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use

Information

Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.

Rationale:

DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the 'ip reputation' of the organization's internet network subnets.

Solution

Navigate to Objects > Security Profiles > Anti-Spyware.
Within the each anti-spyware profile, under its DNS Policies tab, set the Signature Source List:
default-paloalto-dns should have as its Policy Action set to sinkhole
If licensed, the DNS Security should have as its Policy Action set to sinkhole
Verify the 'Sinkhole IPv4' IP address is correct. This should be set to sinkhole.paloaltnetworks.com, or if an internal host is set then that host IP or FQDN should be in that field
Verify the 'Sinkhole IPv6' IP address is correct. This should be set to IPv6 Loopback IP (::1), or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field
Navigate to Policies > Security Policies
For each outbound security Policy, in the Actions tab, set the Anti-Spyware setting to include the Spyware Profile created, either explicitly or as a Group Profile

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|8.3, CSCv7|8.7

Plugin: Palo_Alto

Control ID: a1284b3aaa575d70f153d3250ecf92c9c8b6a1360a375595ea116a830ffa13b5