Information
Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.
Rationale:
DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the "ip reputation" of the organization's internet network subnets.
Solution
Navigate to Objects > Security Profiles > Anti-Spyware
Within the anti-spyware profile, under its DNS Signatures tab, set Action on DNS queries to sinkhole.
Set 'Sinkhole IPv4' to the correct IP address.
Set 'Sinkhole IPv6' to the correct IP address.
Default Value:
Not Configured