I am trying to get the Sinkhole feature working, using this page as a guide:
http://www.packetu.com/2016/07/05/firepower-threat-defense-dns-sinkholing/
I set the Sinkhole object address as a valid but unused address in our DMZ. I have had no issues following the instructions, the DNS policy is associated with the Access Protection policy and when I test it the results are not what would be expected...
The detections do show up in the Security Intelligence category but the traffic is logged with the internal DNS server is listed as the source instead of the originating client. (which is the problem sinkholing is supposed to help solve)
From the client side, when I do an nslookup command for the Test domain configured, The client just recieves a "server failed" error. I expect to see my sinkhole address returned as the response IP for the test domain and that is not happening.
Has anyone else run into this before?
**Update
I confirmed that if I change the client DNS server setting to query a public DNS server directly, the sinkhole IP is returned correctly. So there appears to be different behavior when the query is recursive from a Internal DNS server. I suspect there are not very many environments where setting all the clients to use public DNS servers would be practical, so there must be a solution.
