DNS Sinkhole no Palo Alto na prática: TAG + DAG bloqueando o host automaticamente (sem commit)

DNS Sinkhole on Palo Alto is excellent for identifying endpoints trying to resolve malicious/C2 domains — but the real gain comes when you automate containment. In this video, I set up the lab and show the complete flow: Anti-Spyware DNS policy → Sinkhole → Log Forwarding setting TAG → Dynamic Address Group (DAG) → blocking policy, causing the host to automatically lose access when hitting a malicious domain. Licensing (practical view): you usually need Threat Prevention (Anti-Spyware). Depending on your environment/subscriptions, DNS Security can be added as a complement — and I show this in the video. Chapters 00:00 Intro 00:19 How DNS Sinkhole Works (basic) 01:34 Lab 02:40 Required Licensing 03:05 Security Profile → Anti-Spyware → DNS Policy 05:10 Creating the TAG for “infected” hosts 05:50 Log Forwarding: when threat = sinkhole → apply TAG 08:10 Creating the DAG based on the TAG 09:10 Applying the profile + log forwarding to the DNS rule 10:30 Blocking policy for the DAG (closing the loop) 12:10 Dynamic Updates 13:30 Test: host accesses known C2 domain 14:40 Host automatically loses internet (entered the DAG) 15:50 Validating the host within the DAG 16:30 Logs: traffic + threat 18:43 Unregister in the DAG to release the Host 19:40 Host gets internet back 19:55 Extra logs 22:50 Closing and questions If this content helped you in any way, please consider liking and sharing. The purpose of this channel is to help!