Using DNS Sinkhole feature to block DNS queries

Description

Firewall can block DNS queries to specific domains through its feature of DNS Sinkhole. The important step to achieve this requirement is to use split DNS tunneling so that firewall can receive the DNS queries at its end and take action rather than forwarding to internal or public DNS servers.

EXAMPLE: Lets take "yahoo.com" domain into consideration and we will block the DNS query of this domain via firewall with client PC configured with internal or public DNS servers.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Configure Firewall in split tunnel and point the dns query for the domain towards firewall. 

  1. To configure the split tunnel, navigate to Network|DNS| Settings.
  2. Enable the checkbox for IPv4 Split DNS which states Enable proxying of split DNS servers.

    Image


  1. To configure the domain which you want to block and point  its dns query towards firewall interface IP address, navigate to Network | DNS | Settings | Split DNS and click Add.



    Image


Enabling DNS Sinkhole and configuring it 

  1. Navigate to Network |DNS | DNS Security | DNS Sinkhole Service.
  2. Enable the option Enable DNS Sinkhole Service.
  3. Select one of the available three options from Action dropdown.

    Image

  4. Navigate to Custom Malicious Domain Name List and click Add. Enter domain name Yahoo.com and click Save.

    Image



Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Configure Firewall in split tunnel and point the dns query for the domain towards firewall. 

  1. To configure the split tunnel, navigate to Manage |System Setup | Nnetwork | DNS  .
  2. Enable the checkbox for IPv4 Split DNS which states Enable proxying of split DNS servers.Image

  3.    Configure the domain which you want to block and point  its dns query towards firewall interface IP address.
    Image


Enabling DNS Sinkhole and configuring it 

  1. Navigate to Manage |System Setup | Nnetwork | DNS Security.
  2. Enable the option Enable DNS Sinkhole Service.
  3. Select one of the available three options.
  4. Click ADD and enter the domain yahoo.com into the Custom Malicious Domain Name List. Image

         



How to Test :

  • Run nslookup command to generate the DNS query from a PC behind X0 network of SonicWall and check the SonicWall Logs and Packet monitor with UDP 53 traffic as :
    ImageImage

    Image

    NOTE: With DNS Sinkhole Service action selected as 'Dropping, with DNS reply of forged IP', we need to configure the forged or masked IP address so that firewall can return the dns query with that IP.Image

    Image

    TIP: The above requirement can also be achieved by creating FQDN object of "yahoo.com" and blocking the DNS (Name Service) through access-rule, but it is always recommended to limit the usage of FQDN objects to avoid unnecessary CPU spikes in firewall.



Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Networking
Firewalls
NSv Series
Networking
Firewalls
SonicWall NSA Series
Networking
Firewalls
SonicWall SuperMassive 9000 Series
Networking
Firewalls
TZ Series
Networking
not finding your answers?
Ask the Community