Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

DNS Sinkhole

Overview

DNS Sinkhole feature enables you to block DNS requests for the disallowed domains by resolving the domains to a sinkhole server or by rejecting the DNS requests.

Starting in Junos OS Release 20.4R1, you can configure DNS filtering on SRX Series devices to identify DNS requests for disallowed domains. After identifying the DNS requests for disallowed domains, you can perform any of the following action:

  • Block access to the disallowed domain by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a sinkhole server that is hosted on the SRX Series device. This ensures that when the client attempts to send traffic to the disallowed domain, the traffic instead goes to the sinkhole server.

  • Log the DNS request and reject access.

The DNS request for the known bad domains is handled as per the query type (QTYPE). The DNS queries of type – A, AAAA, MX, CNAME, TXT, SRV and ANY will result into sinkhole action and will be counted and reported individually. The DNS queries of other types will only be logged on match to a bad domain (and then allowed to go through) and reported together as type “misc”.

Note:
  • DNS sinkhole feature is available only with Juniper ATP Cloud premium license.

  • The sinkhole server can prevent further access of the disallowed domain from inappropriate users or can take any other action while allowing the access. The sinkhole server actions are not controlled by the DNS filtering feature. You must configure the sinkhole server actions separately.

Benefits

  • Redirects DNS requests for disallowed domains to sinkhole servers and prevents anyone operating the system from accessing the disallowed domains.

  • Provides in-line blocking for disallowed domains through SecIntel feeds.

  • Helps to identify the infected host in your network.

Workflow

The logical topology for DNS Sinkhole is shown in Figure 1.

Figure 1: DNS SinkholeDNS Sinkhole

A high-level workflow to identify an infected host in a network using DNS Sinkhole feature is as follows:

Step

Description

1

Client sends a DNS request for Bad Domain Server.

2

The SRX Series device first queries the corporate DNS server for the domian. If the DNS query is unknown, the corporate DNS server forwards the request to the public DNS root server.

3

The SRX Series device, which is configured with Juniper ATP Cloud policy streams the unknown DNS query from the corporate DNS server to the Juniper ATP Cloud for inspection.

4

Juiper ATP Cloud provides per tenant (LSYS/TSYS) domain feeds such as allowlist DNS feeds, custom DNS feeds and global DNS feeds to the SRX Series device.

Juniper ATP Cloud collects the FQDN information from third party source, and Juniper threat lab for its global DNS feeds. Customer can post their own customized DNS feed through OpenAPI.

5

The SRX Series device downloads the DNS domain feeds from ATP Cloud and applies actions such as sinkhole, block (drop/close), permit, or recommended for the matched domains.

  • For allowlisted feeds, the DNS request is logged and access is allowed.

  • For custom DNS feeds, sinkhole, block with drop or close, permit, and recommended actions are allowed based on threat-level for the matched domains.

Note:

By default, the SRX Series device responds to the DNS queries for the disallowed domain with the default sinkhole server.

6

In this example, the SRX Series device is configured with the sinkhole action. After Juniper ATP Cloud has identified bad domain server as a malicious domain the SRX Series device responds to queries for bad domain server with its own sink-hole IP address.

7

Client attempts to communicate with bad domain server, but instead connects to the sinkhole IP address that is hosted on the SRX Series device.

8

The infected client connecting to the sink-hole IP address is identified, added to the infected-hosts feed, and quarantined. The system administrator can identify all clients trying to communicate with the sinkhole IP address by searching for the sinkhole IP address in the threat and traffic logs.

Configure DNS Sinkhole

To configure DNS sinkhole for disallowed domains:

  1. Configure DNS profile. In this example, the profile name is dns-profile. For allowlisted feed dns-feed-1, the DNS request is logged and access is allowed. For custom DNS feed custom-dns-feed-1, the DNS request is configured for sinkholing.

    [edit services]

    user@host# set security-intelligence profile dns-profile category DNS

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match feed-name dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 2

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 3

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 4

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 5

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 6

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 7

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action permit

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action log

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match feed-name custom-dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 8

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 9

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 10

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action sinkhole

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action log

  2. (Optional) Configure DNS sinkhole server. We will set the domain name for the DNS sinkhole server as sinkhole.junipernetworks.com.

    [edit services]

    user@host# set dns-filtering sinkhole fqdn sinkhole.junipernetworks.com

    Note:
    • The FQDN value sinkhole.junipernetworks.com is provided as an example, do not use it in actual configuration.

    • If you do not configure the DNS sinkhole server, then by default, the sinkhole IP address that is hosted on the SRX firewall acts as the sinkhole server.

  3. Configure DNS policy.

    [edit services]

    user@host# set security-intelligence policy dns-policy category DNS security-intelligence-profile dns-profile

  4. Configure a security policy and assign the DNS policy to the security policy.

    [edit security]

    user@host# set policies from-zone trust to-zone untrust policy security-policy match source-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy match destination-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy> match application any

    user@host# set policies from-zone trust to-zone untrust policy security-policy then permit application-services security-intelligence-policy dns-policy

  5. (Optional) To stream the DNS logs, use the following command:

    [edit security]

    user@host# set log stream <dnsf-stream-name> category dnsf

To display DNS statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics logical-system logical-system-name

  • show services security-intelligence dns-statistics tenant tenant-name

To display DNS profile statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics profile p1 logical-system logical-system-name

  • show services security-intelligence dns-statistics profile p1 tenant tenant-name

To display all DNS statistics for logical systems and tenant systems, use the following commands:

  • show services security-intelligence dns-statistics logical-system all

  • show services security-intelligence dns-statistics tenant all

  • show services security-intelligence dns-statistics

To clear statistics for DNS filtering, use the following commands:

  • clear services security-intelligence dns-statistics logical-system logical-system-name

  • clear services security-intelligence dns-statistics logical-system all

  • clear services security-intelligence dns-statistics