Using DNS Sinkhole feature to block DNS queries
04/29/2020 4 2731
Firewall can block DNS queries to specific domains through its feature of DNS Sinkhole. The important step to achieve this requirement is to use split DNS tunneling so that firewall can receive the DNS queries at its end and take action rather than forwarding to internal or public DNS servers.
EXAMPLE: Lets take "yahoo.com" domain into consideration and we will block the DNS query of this domain via firewall with client PC configured with internal or public DNS servers.
Configure Firewall in split tunnel and point the dns query for the domain towards firewall.
- To configure the split tunnel, navigate to Manage |System Setup | Nnetwork | DNS .
- Enable the checkbox for IPv4 Split DNS which states Enable proxying of split DNS servers.
- Configure the domain which you want to block and point its dns query towards firewall interface IP address.
Enabling DNS Sinkhole and configuring it
- Navigate to Manage |System Setup | Nnetwork | DNS Security.
- Enable the option Enable DNS Sinkhole Service.
- Select one of the available three options.
- Click ADD and enter the domain yahoo.com into the Custom Malicious Domain Name List.
How to Test :
- Run nslookup command to generate the DNS query from a PC behind X0 network of SonicWall and check the SonicWall Logs and Packet monitor with UDP 53 traffic as :
NOTE: With DNS Sinkhole Service action selected as 'Dropping, with DNS reply of forged IP', we need to configure the forged or masked IP address so that firewall can return the dns query with that IP.
TIP: The above requirement can also be achieved by creating FQDN object of "yahoo.com" and blocking the DNS (Name Service) through access-rule, but it is always recommended to limit the usage of FQDN objects to avoid unnecessary CPU spikes in firewall.