* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/)
* [Playbook of the Week](https://www.paloaltonetworks.com.au/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Swa...

# Playbook of the Week: Swallow Traffic to Malicious Domains with DNS Sinkholes

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2F303502%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Swallow+Traffic+to+Malicious+Domains+with+DNS+Sinkholes&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2F303502%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2F303502%2F&title=Playbook+of+the+Week%3A+Swallow+Traffic+to+Malicious+Domains+with+DNS+Sinkholes&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/303502/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Swallow Traffic to Malicious Domains with DNS Sinkholes)  
Link copied  
By [Ido Van Dijk](https://www.paloaltonetworks.com/blog/author/ido-van-dijk/?ts=markdown "Posts by Ido Van Dijk")  
Aug 31, 2023  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[black hole DNS](https://www.paloaltonetworks.com/blog/tag/black-hole-dns/?ts=markdown)  
[botnet](https://www.paloaltonetworks.com/blog/tag/botnet/?ts=markdown)  
[C\&C](https://www.paloaltonetworks.com/blog/tag/cc/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[DNS sinkhole](https://www.paloaltonetworks.com/blog/tag/dns-sinkhole/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)

**What is a DNS Sinkhole?**

When you hear about sinkholes, it's not necessarily a good thing. However, in the cybersecurity realm, DNS sinkholing is a technique used to redirect DNS queries for malicious domains to a controlled IP address, known as a sinkhole.

It is commonly employed as a security measure to protect networks from accessing or communicating with known malicious domains. By capturing and redirecting DNS traffic to a sinkhole, organizations can gain **visibility** into potential threats, **prevent** malware infections, and **disrupt**malicious activities.

**When Should DNS Sinkholing Be Used?**

DNS sinkholing enables the identification of infected hosts on a protected network by leveraging DNS traffic.The redirected traffic can be captured and analyzed by security analysts.

In scenarios where the firewall is unable to directly observe the originator of DNS queries, such as when it is positioned north of the local DNS server, traditional threat logs may only identify the **local DNS resolver** as the**traffic source** , obscuring the**actual infected host.**

However, by employing DNS sinkholing, forged responses are generated in response to client queries targeting malicious domains. Consequently, when clients attempt to connect to these malicious domains, they are **redirected** to a **designated sinkhole IP address.**

By analyzing the traffic logs, administrators can readily pinpoint the infected hosts attempting to connect to the sinkhole IP, enabling prompt detection and remediation of compromised systems. DNS sinkholing thus provides a valuable solution to overcome network traffic visibility challenges and enhance network security by effectively identifying and addressing infected hosts.

The following image demonstrates the process:

* Botnet on client host 192.168.2.10 sends DNS query for Hacker Server (malicious domain).
* The internal DNS server relays the request through the firewall to the public DNS server.
* The firewall queries the configured DNS signature source and detects the malicious domain request and instead of forwarding the request to the public DNS server, it forges a DNS reply with the sinkhole IP addresses (1Pv4 and 1Pv6).
* Botnet then attempts to communicate with Hacker Server, but sends traffic to the sinkhole IP address instead.
* Session goes through the firewall from the user to the sinkhole address.
* The SOC team can then identify all client hosts trying to communicate with the sinkhole IP address by searching for communication to the sinkhole FQDN in the traffic logs.
* The SOC team then eradicates the botnet from all infected hosts.

\*\*Note:\*\*The client hosts and sinkhole IP must be in different zones, so sessions pass through the firewall. The sinkhole IP address does not have to be an active host, just an unused IP address.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303502-1.png)

**Our Playbook**

Our [**PAN-OS - Configure DNS Sinkhole** playbook](https://xsoar.pan.dev/docs/reference/playbooks/pan-os---configure-dns-sinkhole) automatically finds the security rule that allows outgoing traffic from the internal DNS server/s to the public DNS server on the internet. It then edits that rule and adds an anti-spyware security profile to it. The profile scans the allowed traffic for communication with the malicious domains found in the DNS signature source, and **sinkholes**the requests.

Verifying the sinkhole is working can be done easily by running "nslookup" on one of the endpoints with the domain we are sinkholing:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303502-2.png)

Additionally, new **threat logs** will be generated when an endpoint is trying to resolve a sinkholed domain, showing requests from the internal DNS servers to the external DNS server:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303502-3.png)

After the requests are sinkholed, the playbook creates an Address Object for the sinkhole's fully qualified domain name (FQDN): *sinkhole.paloaltonetworks.com* . It then creates a *deny rule* to the new address object, preceding the rule that allows the DNS traffic.

Once the infected systems reach out to their command-and-control servers, they will resolve to the sinkhole address. The systems will then attempt to communicate with the sinkhole address. That communication will get denied, producing new traffic logs where the source is the infected system and the destination is the IP address resolving for the FQDN *sinkhole.paloaltonetworks.com*:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-303502-4.png)

After the sinkhole has been configured, the **PAN-OS - Extract IPs From Traffic Logs To Sinkhole** can be used to find the IP addresses of the systems that communicated with the fictitious sinkhole address.

The playbooks aim to make as few modifications as possible in the firewall by tagging rules, and reusing existing security profiles, rules and address objects where possible. Additionally, users can easily configure the playbooks to determine:

* Whether to create a new rule to *allow DNS traffic*if it's not currently allowed (in order to create the sinkhole)
* What to do if an anti-spyware profile is already applied to the *allow rule*
* How long to wait for the systems to generate malicious traffic before returning the logs
* Whether to output full logs of the generated traffic to the sinkhole, or only the detected source IP addresses

The **PAN-OS - Configure DNS Sinkhole**playbook can be used as a sub-playbook for remediation in malware playbooks, or run manually.

The **PAN-OS - Extract IPs From Traffic Logs To Sinkhole** playbook can be used as a sub-playbook when the sinkhole is already configured, as a form of enrichment or hunting. It can be leveraged when one system is infected and there's a need to map other infected systems, or it can be run as a job when new malicious domains are ingested from a feed or added in a PAN-OS signature update.

If you're interested in sinkholing specific domains specified in an External Dynamic List, we recommend using the PAN-OS - Configure DNS Sinkhole playbook in conjunction with the [Generic Export Indicators Service](https://cortex.marketplace.pan.dev/marketplace/details/EDL/), which can be used to automatically export domains to an EDL.

Don't have Cortex XSOAR, download our free trial [here](https://start.paloaltonetworks.com/sign-up-for-community-edition.html).

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating SecOps Ticketing](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Suspicious SSO? Check It Out with XSOAR](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Using ChatGPT in Cortex XSOAR](https://www.paloaltonetworks.com.au/blog/security-operations/using-chatgpt-in-cortex-xsoar/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automate Anything with the Default Playbook](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-automate-anything-with-the-default-playbook/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Responding to RDP Brute Force Attacks](https://www.paloaltonetworks.com.au/blog/security-operations/playbook-of-the-week-responding-to-rdp-brute-force-attacks/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language