We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure DNS Sinkholing in the Firewall

  • Last updated on

UDP DNS traffic handled by the Firewall service is monitored and, if a domain is found that is considered to be malicious, the A and AAAA DNS response is replaced by fake IP addresses. An access rule blocks the clients from accessing the fake IP addresses and logs the attempt in the Threat Scan and Firewall Monitor.

dns_sinkhole_01.png

Before You Begin

  • Clear the DNS cache of the internal DNS server and the DNS cache on the clients.
  • Identify an IPv4 and IPv6 IP address to be used as the fake IP. The IP addresses may not be in the same network as the client or the internal DNS server.
  • An Advanced Threat Protection subscription is required to sync with the Barracuda Botnet and Spyware database.

Step 1. Enable DNS Sinkhole

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Settings.
  2. Click Lock.
  3. In the left menu, click DNS Sinkhole.
  4. From the Enable DNS Sinkhole list, select Yes.
  5. Enter the IPv4 DNS Sinkhole Address. Enter an IPv4 address that is not on your network. E.g., 2.2.2.2
  6. Enter the IPv6 DNS Sinkhole Address. Enter an IPv6 address that is not on your network. E.g., 2001:db8::1
    dns_sinkhole_config_01.png
  7. Enter blacklisted domains in the Custom Hostname Blacklist. Use one line per domain. * and ? wildcard characters are allowed. E.g., Add entries for  google.com and *.google.com to block google.com including all subdomains

  8. Enter whitelisted domains in the Custom Hostname Whitelist. Use one line per domain. * and ? wildcard characters are allowed.
    dns_sinkhole_config_02.png
  9. Click Send Changes and Activate.

Step 2. Block TCP DNS Queries

To avoid clients from circumventing the DNS sinkhole block DNS queries via TCP for IPv4 and IPv6.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
    dns_sinkhole_access_rule_00.png
  4. Configure the access rule:
    • Action –  Select Block.
    • Source – Select Any.
    • Service – Select TCP DNS
    • Destination – Select Internet.
    dns_sinkhole_block_dnstcp_01.png
  5. Click OK.
  6. Either click the plus v6 icon (+V6) in the top right of the ruleset, or right-click the ruleset and select New > IPv6 Rule.
    dns_sinkhole_access_rule_03.png
  7. Specify the following settings to block traffic to the IPv6 sinkhole address:
    • Action –  Select Block or Deny.
    • Source – Select Any or enter ::/0.
    • Service – Select Any.
    • Destination – Select Internet
    dns_sinkhole_block_dnstcp_02.png
  8. Click OK.
  9. Drag and drop both access rules so that no rule above it matches the same traffic.
  10. Click Send Changes and Activate.

Step 3. Create Access Rules to Block Fake IP Addresses

Most blacklisted domains are accessed by bots and spyware on the clients computer. You can create a block rule with block page for HTTP traffic for those cases where the client enters the forbidden domain in the browser.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Specify the following settings to block the IPv4 sinkhole address:
    • Action –  Select Block or Deny.
    • Source – Select Any.
    • Service – Select Any.
    • Destination – Select DNS Sinkhole IPv4.
    dns_sinkhole_access_rule_01.png
  4. In the left menu, click Advanced.
  5. In the Miscellaneous section, from the Block Page for TCP 80 list, select Access Block Page.
     dns_sinkhole_access_rule_02.png
  6. Click OK.
  7. Either click the plus v6 icon (+V6) in the top right of the ruleset, or right-click the ruleset and select New > IPv6 Rule.
    dns_sinkhole_access_rule_03.png
  8. Specify the following settings to block traffic to the IPv6 sinkhole address:
    • Action –  Select Block or Deny.
    • Source – Select Any or enter ::/0.
    • Service – Select Any.
    • Destination – Select DNS Sinkhole IPv6.
    dns_sinkhole_access_rule_04.png
  9. In the left menu click Advanced.
  10. In the Miscellaneous section, from the Block Page for TCP 80 list, select Access Block Page.
    dns_sinkhole_access_rule_02.png
  11. Click OK.
  12. Drag and drop the access rule so that no rule above it matches the same traffic.
  13. Click Send Changes and Activate.

Clients attempting to access malicious domains via HTTP are redirected to a block page. For all other services, the connection is reset.

Monitoring

Go to FIREWALL > Monitor. In the BOTNET AND SPYWARE PROTECTION element, connections blocked by DNS Sinkhole are listed.

dns_sinkhole_firewall_monitor.png

Go to FIREWALL > Threat Scan. Expand the Botnet and Spyware Protection section to view the intercepted DNS requests.

dns_sinkhole_threat_scan.png

Events

When a clients access the DNS Sinkhole address the 5004 – DNS Sinkhole address accessed event is triggered. For more information, see Security Events.

Last updated on