Understanding Palo Alto Firewall Sinkholing for Domains

What is Sinkholing?

Sinkholing is a service provided by the vendor of our campus border firewalls (Palo Alto) that blocks traffic to certain domains and servers that might be malicious.

What Happens Between the Client and the DNS Server?

When a client attempts to access a domain, the request is first resolved by a DNS server. If the Palo Alto Firewall is configured with DNS Sinkholing, it intercepts the DNS query and identifies whether the requested domain is malicious or part of a predefined threat list.

In scenarios where the firewall is deployed upstream (north) of the local DNS resolver, it may not see the original client making the DNS query. Instead, the firewall would only see the local DNS server as the source of the query, making it difficult to trace the originator of the request. DNS Sinkholing addresses this problem by forging responses for flagged domains, redirecting client requests to a designated sinkhole IP (either the default Palo Alto sinkhole IP or a custom-defined IP).

This redirection allows administrators to identify potentially infected hosts in the network by monitoring the traffic logs. Devices attempting to connect to the sinkhole IP could be compromised, as they may be trying to access malicious domains.

How the Sinkhole Presents to the Client and the Impact

When a domain is sinkholed:

  • Client Experience: The client device will attempt to connect to the sinkhole IP instead of the actual malicious domain. This might result in timeout errors, failed connections, or application errors.
  • Network Impact: The sinkholing process is localized and does not impact overall network performance. However, traffic directed to the sinkhole IP provides visibility into potentially infected devices.

How to Identify if a Site is Sinkholed

To determine if a domain has been sinkholed, use the following method:

Use Palo Alto’s Test a Site tool.  Add the URL or domain that you want to check, and it will tell you how it is being categorized.  If you feel the URL or domain being blocked needs to be allowed, please create a ticket with the ITS Helpdesk.

Here are the various categories that Palo Alto uses to identify sites. And the sinkhole action that will be taken based on the category.
 

Palo Alto DNS sinkhole category graphic
Last updated
Article number
8636