6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use

Information

Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.
Rationale:
DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the "ip reputation" of the organization's internet network subnets.

Solution

Navigate to Objects > Security Profiles > Anti-Spyware.
Within the anti-spyware profile, under its DNS Signatures tab, set Action on DNS queries to sinkhole.
Set 'Sinkhole IPv4' to the correct IP address.
Set 'Sinkhole IPv6' to the correct IP address.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(4), CSCv6|8.5, CSCv6|8.6

Plugin: Palo_Alto

Control ID: 211b11f890638b7f93190e6f81001a903fa01d50e3059f0b5789f94cdb1521d6