Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


DNS Sinkhole Overview

DNS Sinkhole feature enables you to block DNS requests for the disallowed domains by resolving the domains to a sinkhole server or by rejecting the DNS requests.

You can configure DNS filtering on SRX Series Firewalls to identify DNS requests for disallowed domains.


Starting in Junos OS Release 20.4 R1, you can configure DNS filtering on vSRX Virtual Firewall instances and all SRX Series Firewalls except SRX 5000 line of devices. Support for configuring DNS filtering on SRX 5000 line of devices was introduced in Junos OS Release 21.1 R1.

After identifying the DNS requests for disallowed domains, you can perform any of the following action:

  • Block access to the disallowed domain by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a sinkhole server that is hosted on the SRX Series Firewall. This ensures that when the client attempts to send traffic to the disallowed domain, the traffic instead goes to the sinkhole server.

  • Log the DNS request and reject access.

The DNS request for the known bad domains is handled as per the query type (QTYPE). The DNS queries of type – A, AAAA, MX, CNAME, TXT, SRV and ANY will result into sinkhole action and will be counted and reported individually. The DNS queries of other types will only be logged on match to a bad domain (and then allowed to go through) and reported together as type “misc”.

  • DNS sinkhole feature is available only with Juniper ATP Cloud premium license.

  • The sinkhole server can prevent further access of the disallowed domain from inappropriate users or can take any other action while allowing the access. The sinkhole server actions are not controlled by the DNS filtering feature. You must configure the sinkhole server actions separately.


  • Redirects DNS requests for disallowed domains to sinkhole servers and prevents anyone operating the system from accessing the disallowed domains.

  • Provides in-line blocking for disallowed domains through SecIntel feeds.

  • Helps to identify the infected host in your network.


The logical topology for DNS Sinkhole is shown in Figure 1.

Figure 1: DNS SinkholeDNS Sinkhole

A high-level workflow to identify an infected host in a network using DNS Sinkhole feature is as follows:

Table 1: Identifying Infected Host using DNS Sinkhole




Client sends a DNS request for Bad Domain Server.


The SRX Series Firewall first queries the corporate DNS server for the domian. If the DNS query is unknown, the corporate DNS server forwards the request to the public DNS root server.


The SRX Series Firewall, which is configured with Juniper ATP Cloud policy streams the unknown DNS query from the corporate DNS server to the Juniper ATP Cloud for inspection.


Juiper ATP Cloud provides per tenant (LSYS/TSYS) domain feeds such as allowlist DNS feeds, custom DNS feeds and global DNS feeds to the SRX Series Firewall.

Juniper ATP Cloud collects the FQDN information from third party source, and Juniper threat lab for its global DNS feeds. Customer can post their own customized DNS feed through OpenAPI.


The SRX Series Firewall downloads the DNS domain feeds from ATP Cloud and applies actions such as sinkhole, block (drop/close), permit, or recommended for the matched domains.

  • For allowlisted feeds, the DNS request is logged and access is allowed.

  • For custom DNS feeds, sinkhole, block with drop or close, permit, and recommended actions are allowed based on threat-level for the matched domains.


By default, the SRX Series Firewall responds to the DNS queries for the disallowed domain with the default sinkhole server.


In this example, the SRX Series Firewall is configured with the sinkhole action. After Juniper ATP Cloud has identified bad domain server as a malicious domain the SRX Series Firewall responds to queries for bad domain server with its own sink-hole IP address.


Client attempts to communicate with bad domain server, but instead connects to the sinkhole IP address that is hosted on the SRX Series Firewall.


The infected client connecting to the sink-hole IP address is identified, added to the infected-hosts feed, and quarantined. The system administrator can identify all clients trying to communicate with the sinkhole IP address by searching for the sinkhole IP address in the threat and traffic logs.