0% found this document useful (0 votes)

129 views86 pages

Dns Security Administration

Safeguard your business with cutting-edge DNS Security that stops both known and unknown DNS threats in real time.

Uploaded by

rmannavav3

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

129 views86 pages

Dns Security Administration

Safeguard your business with cutting-edge DNS Security that stops both known and unknown DNS threats in real time.

Uploaded by

rmannavav3

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 86

Advanced DNS Security

Administration

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

© 2022-2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
November 23, 2022

Advanced DNS Security Administration 2 ©2024 Palo Alto Networks, Inc.

Table of Contents
About DNS Security Subscription Services................................................. 5
Cloud-Delivered DNS Signatures and Protections..............................................................8
Data Collection and Logging.................................................................................................. 14
Regional Service Domains.......................................................................................................16
DNS Security Regional Service Domains.................................................................16
Advanced DNS Security Regional Service Domains............................................. 17

Configure DNS Security Subscription Services........................................ 19

Enable DNS Security................................................................................................................ 20
Enable Advanced DNS Security............................................................................................ 34
Configure DNS Security Over TLS....................................................................................... 42
Configure DNS Security Over DoH......................................................................................44
Create Domain Exceptions and Allow | Block Lists.......................................................... 47
Test Domains..............................................................................................................................52
Test Connectivity to the DNS Security Cloud Services...................................................56
DNS Security...................................................................................................................56
Advanced DNS Security...............................................................................................57
Configure Lookup Timeout.....................................................................................................59
DNS Security...................................................................................................................59
Advanced DNS Security...............................................................................................60
Bypass DNS Security Subscriptions Services..................................................................... 62

Monitor DNS Security Subscription Services........................................... 67

View DNS Security Dashboard..............................................................................................69
DNS Security Dashboard Cards................................................................................. 69
View DNS Security Logs......................................................................................................... 77

Advanced DNS Security Administration 3 ©2024 Palo Alto Networks, Inc.

Table of Contents

Advanced DNS Security Administration 4 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription
Services
Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

Palo Alto Networks® provides specialized integrated protection from DNS-based threats with two
security subscription options: DNS Security and Advanced DNS Security. These cloud-delivered
security subscriptions operate using shared underpinnings with Palo Alto Networks Threat
Prevention solutions to provide a comprehensive DNS security solution, and as such, require the
presence of an Advanced Threat Prevention or Threat Prevention subscription.
The DNS Security cloud service is designed to protect your organization from a multitude of
advanced DNS-based threats. By applying advanced machine learning and predictive analytics
to a diverse range of threat intelligence sources, DNS Security rapidly generates enhanced DNS
signatures to defend against known malicious DNS categories, as well as real-time analysis of
DNS requests to defend your network against newly generated and unknown malicious domains.
DNS Security can detect various DNS threats, including DNS tunneling, DNS rebinding attacks,
domains created using auto-generation, malware hosts, and many more.
With an active threat prevention solution operating on supported network security platforms,
customers can sinkhole DNS requests using a list of domains generated by Palo Alto Networks.
These locally-accessed, customizable DNS signature lists are packaged with antivirus and
WildFire updates and include the most relevant threats for policy enforcement and protection
at the time of publication. For improved coverage against threats using DNS, the DNS Security
subscription enables users to access real-time protections using advanced predictive analytics.
Using techniques such as DGA/DNS tunneling detection and machine learning, threats hidden
within DNS traffic can be proactively identified and shared through an infinitely scalable cloud
service. Because the DNS signatures and protections are stored in a cloud-based architecture,
you can access the full database of ever-expanding signatures that have been generated using
a multitude of data sources. This allows you to defend against an array of threats using DNS
in real-time against newly generated malicious domains. To combat future threats, updates to
the analysis, detection, and prevention capabilities of the DNS Security service will be available
through content releases.

5
About DNS Security Subscription Services

To access the basic DNS Security service, you must have a valid Advanced Threat
Prevention or Threat Prevention license and Advanced DNS Security or DNS Security
license in addition to any base licenses required to operate your network security
platform.

DNS Security subscriptions are available on the following Palo Alto Networks network security
platforms:
• Next-Generation firewalls, including the VM-Series and the CN-Series
• Prisma Access
The Advanced DNS Security service is a complementary subscription offering that operates in
conjunction with the DNS Security subscription which enabled access to new domain detectors
in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various
types of DNS hijacking in real-time. With access to Advanced DNS Security operating on PAN-
OS 11.2 and later releases, you can detect and block DNS responses from hijacked domains and
misconfigured domains. Hijacked and misconfigured domains can be introduced into your network
by either directly manipulating DNS responses or by exploiting configuration settings of the DNS
infrastructure of an organization in order to redirect the user to a malicious domain from which
they initiate additional attacks. The primary difference between these two techniques is where
the exploit occurs. In the case of DNS hijacking, the attackers gains the ability to resolve DNS
queries to attacker-operated domains by compromising some aspect of an organization's DNS
infrastructure, be it the DNS provider’s administrative access, an MiTM attack during the DNS
resolution process, or the DNS server itself. Misconfigured domains present a similar problem
- the attacker seeks to incorporate their own malicious domain into an organization’s DNS by
taking advantage of domain configuration issues, outdated DNS records allowing attackers to take
ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-
time by operating cloud based detection engines, which provide DNS health support by analyzing
DNS responses using ML-based analytics to detect malicious activity. Because these detectors are
located in the cloud, you can access a wide array of detection mechanisms that are updated and
deployed automatically without requiring the user to download update packages when changes to
detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines:
DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS
queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more
accurately categorize and return a result in a real-time exchange. Analysis models are delivered
through content updates, however, enhancements to existing models are performed as a cloud-
side update, requiring no firewall update. Advanced DNS Security is enabled and configured
through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security
and Advanced Threat Prevention (or Threat Prevention) licenses.

To access the Advanced DNS Security service, you must have a valid Advanced Threat
Prevention or Threat Prevention license and Advanced DNS Security license in addition to
any base licenses required to operate your network security platform.

Advanced DNS Security subscriptions are available on the following Palo Alto Networks network
security platforms:
• Next-Generation firewalls, including the VM-Series and the CN-Series
Learn about deploying and monitoring DNS Security and Advanced DNS Security in your network:

Advanced DNS Security Administration 6 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

• Configure DNS Security Subscription Services

• Monitor DNS Security Subscription Services

Advanced DNS Security Administration 7 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Cloud-Delivered DNS Signatures and Protections

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

As cloud-based services, Advanced DNS Security and DNS Security allow you to access an
infinitely scalable DNS signature and protections source to defend your organization from
malicious domains. Domain signatures and protections generated by Palo Alto Networks are
derived from a multitude of sources, including WildFire traffic analysis, passive DNS, active
web crawling & malicious web content analysis, URL sandbox analysis, Honeynet, DGA reverse
engineering, telemetry data, whois, the Unit 42 research organization, and third party data
sources such as the Cyber Threat Alliance. This on-demand cloud database provides users with
access to the complete Palo Alto Network’s DNS signature set, including signatures generated
using advanced analysis techniques, as well as real-time DNS request analysis. Locally available,
downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with
a hard-coded capacity limitation of 100k signatures and do not include signatures generated
through advanced analysis. To better accommodate the influx of new DNS signatures being
produced on a daily basis, the cloud-based signature database provides users with instant access
to newly added DNS signatures without the need to download updates. If network connectivity
goes down or is otherwise unavailable, the firewall uses the onbox DNS signature set.

Advanced DNS Security Administration 8 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

The DNS Security service operates real-time DNS request analysis using predictive analytics
and machine learning on multiple DNS data sources. This is used to generate protections for
DNS-based threats, which are accessible in real-time through configuration of the Anti-Spyware
Security profile attached to a Security policy rule. Each DNS threat category (the DNS Signature
Source) allows allow you to define separate policy actions as well as a log severity level for a
specific signature type. This enables you to create specific security policies based on the nature
of the threat, according to your network security protocols. Palo Alto Networks also generates
and maintains a list of explicitly allowable domains based on metrics from PAN-DB and Alexa.
These allow list domains are frequently accessed and known to be free of malicious content. The
DNS Security categories and the allow list are updated and extensible through PAN-OS content
releases.

PAN-OS 9.1 and earlier has a limited range of DNS Security source categories.

DNS Security and Advanced DNS Security currently supports detection of the following DNS
threat categories:

The universal threat ID number (indicated as ID in the Threat logs) maps to a specific
DNS detection mechanism used by DNS Security to classify domains. This shows the
precise categorization of the domain, alongside the broadly defined threat category, that
it belongs to.

Advanced DNS Security Administration 9 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

• Command and Control Domains—C2 includes URLs and domains used by malware and/or
compromised systems to surreptitiously communicate with an attacker’s remote server to
receive malicious commands or exfiltrate data (this includes DNS tunneling detection and DGA
detection), or deplete resources on a target authoritative DNS servers (such as NXNSattack).
• DNS Tunnel Detection (UTID: 109001001/109001002)—DNS tunneling can be used
by attackers to encode data of non-DNS programs and protocols within DNS queries
and responses. This provides attackers with an open back channel with which they can
transfer files or remotely access the system. DNS tunnel detection uses machine learning
to analyze the behavioral qualities of DNS queries, including n-gram frequency analysis of
domains, entropy, query rate, and patterns to determine if the query is consistent with a
DNS tunneling-based attack. This includes certain next-generation DNS tunneling malware
that exfiltrates data slowly across multiple domains to avoid detection, such as TriFive and
Snugy. Combined with the firewall’s automated policy actions, this allows you to quickly
detect C2 or data theft hidden in DNS tunnels and to automatically block it, based on your
defined policy rules.
Domains that are determined to possess DNS tunneling capabilities are further
analyzed to provide details about the tools used to embed data onto DNS queries and
responses and the associated malware campaign name by DNS Security. The attribution
details are available in the threat logs as Threat ID/Name for the firewall and DNS
Security logs on Prisma Access as Threat Name Firewall using the following format:
Tunneling:<optional_list_of_tools/campaigns; dot-separated string)>:<domain_name> or
Tunneling_infil:<optional_list_of_tools/campaigns; dot-separated string)>:<domain_name>
based on the specific DNS tunnel domain type.
• DGA Domain Detection (UTID: 109000001)—Domain generation algorithms (DGAs) are
used to auto-generate domains, typically in large numbers within the context of establishing
a malicious command-and-control (C2) communications channel. DGA-based malware (such
as Pushdo, BankPatch, and CryptoLocker) limit the number of domains from being blocked
by hiding the location of their active C2 servers within a large number of possible suspects,
and can be algorithmically generated based on factors such as time of day, cryptographic
keys, dictionary-derived naming schemes, and other unique values. While most domains
generated by a DGA do not resolve as a valid domain, they must all be identified to fully
defend against a given threat. DGA analysis determines whether a domain is likely to have
been generated by a machine, rather than a person, by reverse-engineering and analyzing
other frequently used techniques found in DGAs. Palo Alto Networks then uses these
characteristics to identify and block previously unknown DGA-based threats in real-time.
• NXNSAttack (UTID: 109010007)—The NXNSAttack vulnerability present in the DNS
protocol affects all recursive DNS resolvers and can be used by malicious actors to launch
DDOS-like amplification attacks to disrupt the normal operation of vulnerable authoritative
DNS servers. NXNSAttack can introduce massive traffic spikes on an authoritative DNS
server by forcing the recursive DNS resolver to issue a large number of invalid requests to
potentially shut down the server.
• DNS Rebinding (UTID: 109010009)—DNS rebinding attacks lure users to an attacker-
controlled domain configured with a short TTL parameter to manipulate how domain names
are resolved to exploit and bypass the same-origin policy in browsers. This enables malicious

Advanced DNS Security Administration 10 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

actors to use the client machine as an intermediary to attack or access a resource contained
within a private network.
• DNS Infiltration (UTID: 109001003)—DNS infiltration includes DNS queries that enable
malicious actors to hide and resolve minute payloads via a response to fraudulent A (IPv4)
and AAAA (IPv6) record requests. When the client resolves multiple subdomains, each
containing a A/AAAA record with an encoded component, the data contained within them
can be consolidated to form a malicious payload, which can then be executed on the client
machine. After executing the payload, it can introduce secondary payloads to establish a
DNS tunnel or additional exploits.
• DNS Traffic Profiling (UTID: 109010010)—(Requires Advanced DNS Security) DNS traffic
profiling is a cloud-based analyzer that detects malware attempting to establish a C2
connection, based on an assessment of DNS traffic patterns. As Advanced DNS Security
monitors your organization's DNS traffic, the outbound DNS request sequences are
vectorized to form DNS traffic profiles, which are then analyzed using ML techniques
that can associate the unique DNS request patterns with identifiable malicious C2 domain
profiles.
• Dynamic DNS Hosted Domains (UTID: 109020002) —Dynamic DNS (DDNS) services provide
mapping between hostnames and IP addresses in near real-time to keep changing IP addresses
linked to a specific domain, when static IPs are unavailable. This provides attackers a method of
infiltrating networks by using DDNS services to change the IP addresses that host command-
and-control servers. Malware campaigns and exploit kits can utilize DDNS services as part
of their payload distribution strategy. By utilizing DDNS domains as part of their hostname
infrastructure, adversaries can change the IP address associated with given DNS records and
more easily avoid detection. DNS Security detects exploitative DDNS services by filtering and
cross-referencing DNS data from various sources to generate candidate lists which are then
further validated to maximize accuracy.
• Malware Domains —Malicious domains host and distribute malware and can include
websites that attempt to install various threats (such as executables, scripts, viruses, drive-
by downloads). Malicious domains are distinguishable from C2 domains in that they deliver
malicious payloads into your network via an external source, whereas with C2, infected
endpoints typically attempt to connect to a remote server to retrieve additional instructions or
other malicious content.
• Malware Compromised DNS (UTID: 109003001)—Malware compromised DNS covers a
range of techniques, some legitimate, that result in the generation of seemingly genuine
hostnames and subdomains, which in actuality, are malicious. This includes newly observed
hostnames that mimic existing, reputable hostnames, in an attempt to impersonate or
otherwise mislead and evade database-centric security solutions. These can be quickly
produced en-masse to preempt their addition to database lists. Domain shadowing typically
follows after an attacker gains control of a domain account through a more conventional
attack. This provides the access necessary to create illegitimate subdomains used to
coordinate attacks, even though the root domain remains legitimate and valid, increasing the
likelihood of circumventing network security.
• Ransomware Domains (UTID: 109003002)—Ransomware is a subcategory of malware
that locks or cryptographically prevents users from accessing data in exchange for a
ransom payment, after which the system may be released back to the user by the attacker.
Ransomware can be distributed through malicious ransomware domains, which host the
seemingly legitimate files that users are tricked into downloading.

Advanced DNS Security Administration 11 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

• Newly Registered Domains (UTID: 109020001)—Newly registered domains are domains

that have been recently added by a TLD operator or had change in ownership within the
last 32 days. While new domains can be created for legitimate purposes, the vast majority
are often used to facilitate malicious activities, such as operating as C2 servers or used to
distribute malware, spam, PUP/adware. Palo Alto Networks detects newly registered domains
by monitoring specific feeds (domain registries and registrars) and using zone files, passive
DNS, WHOIS data to detect registration campaigns.
• Phishing Domains (UTID: 109010001) —Phishing domains attempt to lure users into
submitting sensitive data, such as personal information or user credentials, by masquerading as
legitimate websites through phishing or pharming. These malicious activities can be conducted
through social engineering campaigns (whereby a seemingly trusted source manipulates users
into submitting personal information via email or other forms of electronic communications) or
through web traffic redirection, which directs users to fraudulent sites that appear legitimate.
• Grayware Domains (UTID: 109010002) —(Available with installation of PAN-OS content
release 8290 and later). Grayware domains generally do not pose a direct security threat,
however, they can facilitate vectors of attack, produce various undesirable behaviors, or might
simply contain questionable/offensive content.These can include websites and domains that:
• Attempt to trick users into granting remote access.
• Leverage subdomains of popular web hosting and dynamic domain name system (DDNS)
services to host and distribute malicious content (subdomain reputation - UTIDL
109002004).
• Contain adware and other unsolicited applications (such as cryptominers, hijackers, and
PUPs [potentially unwanted programs]).
• Deploy domain identification concealment actions using fast flux techniques (fastflux
detection - UTID: 109010005).
• Demonstrate malicious behavior and usage as evidenced through DNS security predicative
analytics (malicious NRD - UTID: 109010006).
• Redirect traffic from a legitimate source to a malicious website due to an improperly
configured or stale DNS record on an authoritative DNS server that has not been removed
or otherwise corrected (dangling DNS - UTID: 109010008).
• Promote illegal activities or scams.
• Include wildcard DNS entries, which can be used to evade block lists or enable wildcard
DNS attacks by routing traffic to malicious websites (Wildcard abuse - UTID: 109002001).
• Indicate the presence of DNS traffic with anomalous characteristics when compared to
established baseline profiles built from collected DNS data (Anomaly detection).
• Have been registered months or years in advance and left in a state of dormancy to bypass
reputation checks when they become active. This also includes newly observed domains
that have never been seen or otherwise evaluated (Strategically-aged domains - UTID:
109002002).
• Are unused domains that have been registered by an attacker with probable malicious intent
based on certificate transparency logs (Stockpile Domain detection - UTID: 109002005).
• Deceive users by resembling popular brand name domains as well as incorrectly entered
web page addresses, with the goal of directing users to counterfeit and fraudulent websites.
(Cybersquatting / Typosquatting domains - UTID: 109002003).

Advanced DNS Security Administration 12 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

• Parked Domains (UTID: 109010003)—(Available with installation of PAN-OS content release

8318 and later) Parked domains are typically inactive websites that host limited content, often
in the form of click-through ads which may generate revenue for the host entity, but generally
do not contain content that is useful to the end user. While they often function as a legitimate
placeholder or as nothing more than a benign nuisance, they could also be used as a possible
vector for distribution of malware.
• Proxy Avoidance and Anonymizers (UTID: 109010004)—(Available with installation of
PAN-OS content release 8340 and later) Proxy Avoidance and Anonymizers is traffic to
services that are used to bypass content filtering policies. Users who attempt to circumvent an
organization’s content filtering policies via anonymizer proxy services are blocked at the DNS
level.
• Ad Tracking Domains (UTID: 109004000)—(Available with installation of PAN-OS content
release 8586 and later) Ad Tracking domains deliver certain types of marketing automation
content for webpages in order to track user engagement (such as link clicks, web page
navigation, etc). Typically, these third-party domains are concealed through the use of a vanity
URL to appear to be part of the originating domain.
• CNAME Cloaking (UTID: 109004001)—CNAME cloaking provides an alternate means of
concealing a URL by modifying a web request for a subdomain to appear as if it originates
from the same website, though in actuality, the subdomain uses a CNAME to resolve to a
third-party domain. This technique circumvents some browser-based privacy protections
which could potentially connect to a suspicious CNAME destination.
• Hijacked Domains (UTID: 109004000)—(Requires Advanced DNS Security) Hijacked domains
include domains where attackers gain the ability to make legitimate domains resolve to
attacker-operated IP addresses, typically, by compromising some aspect of an organization's
DNS infrastructure. This can include the unauthorized administrative access to the DNS
provider, an MiTM attack during the DNS resolution process, or the access to the DNS server
itself.
• Misconfiguration Domains (UTID: 109004000)—(Requires Advanced DNS Security)
Misconfigured domains enable attackers to incorporate their own malicious domains into
an organization's DNS by taking advantage of domain configuration issues. These outdated
DNS records allow attackers to take ownership of the customer’s subdomain and redirect
users to attacker-controlled IPs or websites for malicious purposes. These non-resolvable
misconfiguration domains are based on the public-facing parent domain(s) that are specified
during configuration of Advanced DNS Security.
• Misconfiguration Zone: (UTID: 109004200)—A generic category for misconfiguration
domains that do not correspond to any other misconfiguration category.
• Misconfiguration Zone Dangling (UTID: 109004201)—Misconfigured domains that redirect
traffic from a legitimate source to a malicious website due to an improperly configured or
stale DNS record on an authoritative DNS server present in an organization's public-facing
domain.
• Misconfiguration Claimable NX (UTID: 109004202)—Misconfigured domains that are
defined as part of an organization’s DNS configuration, but no longer exist (NXDOMAINS),
can be surreptitiously registered by attackers and be used to redirect users to malicious
websites and potentially allows the attacker to gain access to a customer’s network.

Advanced DNS Security Administration 13 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Data Collection and Logging

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

The DNS Security service collects server response and request information based on your security
policy rules, associated action, and the DNS query details when performing domain lookups
to generate DNS Security logs for Strata Logging Service-based activity applications (AIOps
for NGFW Free, Prisma Access, Strata Logging Service, etc). Additionally, the network security
platform forwards supplemental DNS data to the DNS Security cloud servers and is used by Palo
Alto Networks services to provide more accurate domain information (such as provider ASN,
hosting information, and geolocation identification). While this supplemental data is not necessary
to operate the DNS Security service, it provides the resources to generate improved analytics,
DNS detection, and prevention capabilities. This action occurs in less than 30 seconds after data
collection occurs. To minimize firewall performance impact, DNS Security telemetry operates with
minimal overhead, which can limit the total amount of DNS telemetry data sent to Strata Logging
Service; consequently only a subset of DNS queries are forwarded to Strata Logging Service as
DNS Security log entries. As a result, Palo Alto Networks recommends viewing logs for malicious
DNS requests as threat logs instead of DNS Security logs.

Malicious DNS queries are also recorded as threat logs and are submitted to the Strata
Logging Service using PAN-OS log forwarding (when appropriately configured).

DNS Security can submit the following data fields:

Field Description

Action Displays the policy action taken on the DNS query.

Type Displays the DNS record type.

Response The IP address that the domain in the DNS query got resolved to.

Response Code The DNS response code that was received as an answer to your DNS
query.

Source IP The IP address of the system that made the DNS request.

Advanced DNS Security Administration 14 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Field Description

Source User When the firewall User-ID feature is enabled, the identity of the DNS
requester is shown.

Source Zone The configured source zone referenced in your security policy rule.

DNS expanded data collection is bypassed for domains added to the Allow list in DNS
Exceptions.

Data fields that can be used to potentially identify users (Source IP, Source User, and Source
Zone) can be withheld from automatic submission using the following CLI command: set
deviceconfig setting ctd cloud-dns-privacy-mask yes. You must commit the
changes for the update to take effect.

Advanced DNS Security Administration 15 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Regional Service Domains

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

Palo Alto Networks maintains a network of global and regional domains that provide
service for DNS Security and Advanced DNS Security operations. These service domains
operate real-time DNS request analyzers, access to the DNS signature database and provide
advanced cloud-dependent functionality. By default, DNS Security and Advanced DNS
Security connects to the global service domains (dns.service.paloaltonetworks.com and adv-
dns.service.paloaltonetworks.com,respectively), which then automatically redirect to the regional
domain that is closest to the network security platform location.

DNS Security Regional Service Domains

Palo Alto Networks recommends using the default global service domain configuration for
improved fail-over handling; however, if you experience latency issues due to the particulars
of your location (for example, when straddling multiple overlapping regional domains), you
can manually specify the service domain. To specify the regional service domain used by DNS
Security, you must add a DNS entry for dns.service.paloaltonetworks.com that includes a CNAME
record that indicates a valid regional domain as part of your DNS server configuration. After
connecting to a regional domain, you can issue the CLI command on the firewall:

show dns-proxy dns-signature counters

to review the average latency. The relevant section is located under the Signature query API
heading.
The following table lists the DNS Security service domains:

Location URL

Cape Town, South Africa dns-za.service.paloaltonetworks.com

Hong Kong dns-hk.service.paloaltonetworks.com

Tokyo, Japan dns-jp.service.paloaltonetworks.com

Advanced DNS Security Administration 16 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Location URL

Singapore dns-sg.service.paloaltonetworks.com

Mumbai, India dns-in.service.paloaltonetworks.com

Sydney, Australia dns-au.service.paloaltonetworks.com

London, England dns-uk.service.paloaltonetworks.com

Frankfurt, Germany dns-de.service.paloaltonetworks.com

Eemshaven, Netherlands dns-nl.service.paloaltonetworks.com

Paris, France dns-fr.service.paloaltonetworks.com

Bahrain dns-bh.service.paloaltonetworks.com

Montreal, Quebec, Canada dns-ca.service.paloaltonetworks.com

Osasco, São Paulo, Brazil dns-br.service.paloaltonetworks.com

Council Bluffs, Iowa, USA dns-us-ia.service.paloaltonetworks.com

Ashburn, Northern Virginia, USA dns-us-va.service.paloaltonetworks.com

The Dalles, Oregon, USA dns-us-or.service.paloaltonetworks.com

Los Angeles, California, USA dns-us-ca.service.paloaltonetworks.com

Advanced DNS Security Regional Service Domains

You can manually specify the server used to facilitate Advanced DNS Security queries. While
Palo Alto Networks recommends using the default global service domain, you can override the
selected server if you encounter higher than expected latency or other service-related issues.
You can specify the Advanced DNS Security service domain in PAN-OS from Device > Setup >
Management > Advanced DNS Security > DNS Security Server.

This setting does not impact how standard DNS Security queries are handled.

The following table lists the Advanced DNS Security service domains:

Location URL

Cape Town, South Africa za.adv-dns.service.paloaltonetworks.com

Advanced DNS Security Administration 17 ©2024 Palo Alto Networks, Inc.

About DNS Security Subscription Services

Location URL

Bahrain bh.adv-dns.service.paloaltonetworks.com

Hong Kong hk.adv-dns.service.paloaltonetworks.com

Tokyo, Japan jp.adv-dns.service.paloaltonetworks.com

Singapore sg.adv-dns.service.paloaltonetworks.com

Mumbai, India in.adv.dns.service.paloaltonetworks.com

Sydney, Australia au.adv-dns.service.paloaltonetworks.com

London, England uk.adv-dns.service.paloaltonetworks.com

Frankfurt, Germany de.adv.dns.service.paloaltonetworks.com

Eemshaven, Netherlands nl.adv.dns.service.paloaltonetworks.com

Paris, France fr.adv-dns.service.paloaltonetworks.com

Bahrain bh.adv-dns.service.paloaltonetworks.com

Montreal, Quebec, Canada ca.adv.dns.service.paloaltonetworks.com

Osasco, São Paulo, Brazil br.adv.dns.service.paloaltonetworks.com

Council Bluffs, Iowa, USA us-ia.adv.dns.service.paloaltonetworks.com

Ashburn, Northern Virginia, USA us-va.adv.dns.service.paloaltonetworks.com

The Dalles, Oregon, USA us-or.adv.dns.service.paloaltonetworks.com

Los Angeles, California, USA us-ca.adv.dns.service.paloaltonetworks.com

Advanced DNS Security Administration 18 ©2024 Palo Alto Networks, Inc.

Configure DNS Security
Subscription Services
Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

Before you can enable and configure Advanced DNS Security or DNS Security, you must obtain
and install a Threat Prevention (or Advanced Threat Prevention) license as well as an Advanced
DNS Security or DNS Security license in addition to any platform licenses from where it is
operated. Licenses are activated from the Palo Alto Networks Customer Support Portal and
must be active before DNS analysis can take place. Additionally, DNS Security subscription
services (similar to other Palo Alto Networks security services) are administered through security
profiles, which in turn is dependent on the configuration of network enforcement policies as
defined through security policy rules. Before enabling a DNS Security subscription service, it is
recommended that you familiarize yourself core components of the security platform in which the
security subscriptions are enabled. Refer to your product documentation for more information.
To enable and configure a DNS Security subscription service to function optimally within
your network security deployment, refer to the tasks below. While it may not be necessary
to implement all of the processes shown here, Palo Alto Networks recommends reviewing all
of the tasks to familiarize yourself with the available options for a successful deployment. It is
additionally recommended that you follow the best practices provided by Palo Alto Networks for
the optimum usability and security.
• Enable DNS Security or Advanced DNS Security on my network security platform to prevent
DNS threats from entering my network (required)
• Create domain signature exceptions and allow lists to limit false-positives and prevent internal
DNS servers from triggering DNS categorization
• Test the configured policy actions for the available domain categories
• Verify my firewall’s connectivity to the DNS Security service
• Limit dropped connections due to my latency by customizing my DNS lookup timeout setting
on the firewall

19
Configure DNS Security Subscription Services

Enable DNS Security

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

To enable DNS Security, you must create (or modify) an Anti-Spyware security profile to access
the DNS Security service, configure the log severity and policy settings for the DNS signature
category (or categories), and then attach the profile to a security policy rule.
• Strata Cloud Manager
• PAN-OS & Panorama

Enable DNS Security (Strata Cloud Manager)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager on the hub.

STEP 2 | Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention) license
is active. Select Manage > Configuration > NGFW and Prisma Access > Overview and click
the license usage terms link in the License panel. You should see green check marks next to
the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS
Security.

STEP 3 | Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS security cloud security service.

If your firewall deployment routes your management traffic though an Internet-

facing perimeter firewall configured to enforce App-ID security policies, you must
allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security
connectivity.

Advanced DNS Security Administration 20 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 4 | Configure DNS Security signature policy settings to send malicious DNS queries to the
defined sinkhole.

If you use an external dynamic list as a domain allow list, it does not have precedence
over the DNS Security domain policy actions. As a result, when there is a domain
match to an entry in the EDL and a DNS Security domain category, the action
specified under DNS Security is still applied, even when the EDL is explicitly configured
with an action of Allow. If you want to add DNS domain exceptions, either configure
an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located
in the DNS Exceptions tab.

1. Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS
Security.
2. Create or modify an existing DNS Security profile.
3. Name the profile and, optionally, provide a description.
4. In the DNS Categories section, beneath the DNS Security heading, there are individually
configurable DNS signature sources, which allow you to define separate policy actions as
well as the packet capture setting.

Palo Alto Networks recommends using the default action setting for all signature
sources to ensure optimum coverage as well as to assist with incidence response
and remediation. For more information about the best practices for configuring
your DNS Security settings, refer to Best Practices for Securing Your Network
from Layer 4 and Layer 7 Evasions.

• Select an action to be taken when DNS lookups are made to known malware sites for
the DNS Security signature source. The options are alert, allow, block, or sinkhole.
Palo Alto Networks recommends setting the action to sinkhole.
• You can fully bypass DNS traffic inspection by configuring a policy action of Allow
with a corresponding log severity of None for each DNS signature source.
• In the Packet Capture drop-down, select single-packet to capture the first packet of
the session or extended-capture to set between 1-50 packets. You can then use the
packet captures for further analysis.
5. In the DNS Sinkhole Settings section, verify that a valid Sinkhole address is present.
For your convenience, the default setting (pan-sinkhole-default-ip) is set to access a

Advanced DNS Security Administration 21 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Palo Alto Networks sinkhole server. Palo Alto Networks can automatically refresh this
address through updates.

Sinkhole forges a response to a DNS query for domains that match the DNS
category configured for a sinkhole action to the specified sinkhole server, to
assist in identifying compromised hosts. When the default sinkhole FQDN is
used, the firewall sends the CNAME record as a response to the client, with
the expectation that an internal DNS server will resolve the CNAME record,
allowing malicious communications from the client to the configured sinkhole
server to be logged and readily identifiable. However, if clients are in networks
without an internal DNS server, or are using software or tools that cannot
be properly resolve a CNAME into an A record response, the DNS request is
dropped, resulting in incomplete traffic log details that are crucial for threat
analysis. In these instances, you should use the following sinkhole IP address:
(72.5.65.111).

If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on
your network or to a loopback address, see Configure the Sinkhole IP Address to a Local
Server on Your Network.

6. Click OK to save the DNS Security profile.

STEP 5 | Attach the DNS Security profile to a Security policy rule.

Advanced DNS Security Administration 22 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 6 | Test that the policy action is enforced.

1. Access the DNS Security test domains to verify that the policy action for a given threat
type is being enforced.
2. To monitor the activity:
1. View the activity logs and search for the URL Domain with a sinkholed action to view
the log entries for the test domain you accessed.

STEP 7 | Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The
decrypted DNS payload can then be processed using the DNS Security profile configuration
containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting
DNS requests in the threat logs will appears as a conventional dns-base application with a
source port of 853.

STEP 8 | For other monitoring options, see Monitor DNS Security Subscription Services

Enable DNS Security (NGFW (Managed by PAN-OS or Panorama))

PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables
you to define separate policy actions as well as a log severity level for a given signature source.
This enables you to create discrete, precise security actions based on the threat posture of a
domain type according to your network security protocols. The DNS signature source definitions
are extensible through PAN-OS content releases so, when new DNS Security analyzers are
introduced, you are able to create specific policies based on the nature of the threat. Upon
upgrade to PAN-OS 10.0 and later, the DNS Security source gets redefined into new categories to
provide extended granular controls; as a result, the new categories will overwrite the previously
defined action and acquire default settings. Make sure to reapply any sinkhole, log severity, and
packet captures settings appropriate for the newly defined DNS Security Categories.
• PAN-OS 11.0 and later
• PAN-OS 10.x
• PAN-OS 9.1

Enable DNS Security (PAN-OS 11.0 and Later)

STEP 1 | Log in to the NGFW.

STEP 2 | To take advantage of DNS Security, you must have an active DNS Security and Threat
Prevention (or Advanced Threat Prevention) subscription.
Verify that you have the necessary subscriptions. To verify which subscriptions that you
currently have licenses for, select Device > Licenses and verify that the appropriate licenses
display and have not expired.

STEP 3 | Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS security cloud security service.

If your firewall deployment routes your management traffic though an Internet-

facing perimeter firewall configured to enforce App-ID security policies, you must
allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security
connectivity.

Advanced DNS Security Administration 23 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 4 | Configure DNS Security signature policy settings to send malicious DNS queries to the
defined sinkhole.

1. Select Objects > Security Profiles > Anti-Spyware.

2. Create or modify an existing profile, or select one of the existing default profiles and
clone it.
3. Name the profile and, optionally, provide a description.
4. Select the DNS Policies tab.
5. In the Signature Source column, beneath the DNS Security heading, there are
individually configurable DNS signature sources, which allow you to define separate
policy actions as well as a log severity level.

Palo Alto Networks recommends changing your default DNS Policies settings for
signature sources to ensure optimum coverage as well as to assist with incidence
response and remediation. Follow the best practices for configuring your DNS
Security settings as outlined in the Best Practices for Securing Your Network
from Layer 4 and Layer 7 Evasions.

• Specify the log severity level that is recorded when the firewall detects a domain
matching a DNS signature. For more information about the various log severity levels,
refer to Threat Severity Levels.
• Select an action to be taken when DNS lookups are made to known malware sites for
the DNS Security signature source. The options are default, allow, block, or sinkhole.
Verify that the action is set to sinkhole.
• You can fully bypass DNS traffic inspection by configuring a policy action of Allow
with a corresponding log severity of None for each DNS signature source.
• In the Packet Capture drop-down, select single-packet to capture the first packet of
the session or extended-capture to set between 1-50 packets. You can then use the
packet captures for further analysis.
6. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your
convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to

Advanced DNS Security Administration 24 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this
address through content updates.

Sinkhole forges a response to a DNS query for domains that match the DNS
category configured for a sinkhole action to the specified sinkhole server, to
assist in identifying compromised hosts. When the default sinkhole FQDN
(sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record
as a response to the client, with the expectation that an internal DNS server will
resolve the CNAME record, allowing malicious communications from the client
to the configured sinkhole server to be logged and readily identifiable. However,
if clients are in networks without an internal DNS server, or are using software
or tools that cannot be properly resolve a CNAME into an A record response, the
DNS request is dropped, resulting in incomplete traffic log details that are crucial
for threat analysis. In these instances, you should use the following sinkhole IP
address: (72.5.65.111).

If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on
your network or to a loopback address, see Configure the Sinkhole IP Address to a Local
Server on Your Network.
7. (Optional) Block the specified DNS resource record types record types used to exchange
keying information during the encryption of the client hello in the subsequent TLS

Advanced DNS Security Administration 25 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

connection. The following DNS RR types are available: SVCB (64), HTTPS (65), and ANY
(255).

• While it is not necessary to block ECH in order to enable DNS Security over
DoH, Palo Alto Networks currently recommends blocking all DNS record
types used by ECH for optimum security.
• Type 64 and type 65 resource record standards are still in flux (in a draft
state) and are subject to change. For more information on DNS SVCB and
HTTPS RRs, refer to: Service binding and parameter specification via the
DNS (DNS SVCB and HTTPS RRs) as defined by the IETF.

8. Click OK to save the Anti-Spyware profile.

STEP 5 | Attach the Anti-Spyware profile to a Security policy rule.

1. Select Policies > Security.
2. Select or create a Security Policy Rule.
3. On the Actions tab, select the Log at Session End check box to enable logging.
4. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From
the Anti-Spyware drop-down and select the new or modified profile.
5. Click OK to save the policy rule.

Advanced DNS Security Administration 26 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 6 | Test that the policy action is enforced.

1. Access the DNS Security test domains to verify that the policy action for a given threat
type is being enforced.
2. To monitor the activity on the firewall:
1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and
Blocked Activity for the domain you accessed.
2. Select Monitor > Logs > Threat and filter by (action eq sinkhole) to view logs
on sinkholed domains.
3. For more monitoring options, see Monitor DNS Security Subscription Services

STEP 7 | Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The
decrypted DNS payload can then be processed using the Anti-Spyware profile configuration
containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting
DNS requests in the threat logs will appears as a conventional dns-base application with a
source port of 853.

STEP 8 | Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

Enable DNS Security (PAN-OS 10.x)

STEP 1 | Log in to the NGFW.

STEP 3 | Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS security cloud security service.

If your firewall deployment routes your management traffic though an Internet-

facing perimeter firewall configured to enforce App-ID security policies, you must
allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security
connectivity.

Advanced DNS Security Administration 27 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 4 | Configure DNS Security signature policy settings to send malicious DNS queries to the
defined sinkhole.

1. Select Objects > Security Profiles > Anti-Spyware.

Advanced DNS Security Administration 28 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this
address through content updates.

Sinkhole forges a response to a DNS query for domains that match the DNS
category configured for a sinkhole action to the specified sinkhole server, to
assist in identifying compromised hosts. When the default sinkhole FQDN
(sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record
as a response to the client, with the expectation that an internal DNS server will
resolve the CNAME record, allowing malicious communications from the client
to the configured sinkhole server to be logged and readily identifiable. However,
if clients are in networks without an internal DNS server, or are using software
or tools that cannot be properly resolve a CNAME into an A record response, the
DNS request is dropped, resulting in incomplete traffic log details that are crucial
for threat analysis. In these instances, you should use the following sinkhole IP
address: (72.5.65.111).

If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on
your network or to a loopback address, see Configure the Sinkhole IP Address to a Local
Server on Your Network.

7. Click OK to save the Anti-Spyware profile.

Advanced DNS Security Administration 29 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 5 | Attach the Anti-Spyware profile to a Security policy rule.

STEP 6 | Test that the policy action is enforced.

STEP 8 | Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

Enable DNS Security (PAN-OS 9.1)

STEP 1 | Log in to the NGFW.

STEP 2 | To take advantage of DNS Security, you must have an active DNS Security and Threat
Prevention subscription.
Verify that you have the necessary subscriptions. To verify which subscriptions that you
currently have licenses for, select Device > Licenses and verify that the appropriate licenses
display and have not expired.

STEP 3 | Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS security cloud security service.

If your firewall deployment routes your management traffic though an Internet-

facing perimeter firewall configured to enforce App-ID security policies, you must
allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security
connectivity.

Advanced DNS Security Administration 30 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 4 | Configure DNS Security signature policy settings to send malware DNS queries to the
defined sinkhole.

1. Select Objects > Security Profiles > Anti-Spyware.

2. Create or modify an existing profile, or select one of the existing default profiles and
clone it.
3. Name the profile and, optionally, provide a description.
4. Select the DNS Signatures > Policies & Settings tab.
5. If the Palo Alto Networks DNS Security source is not present, click Add and select it
from the list.
6. Select an action to be taken when DNS lookups are made to known malware sites for
the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify
that the action is set to sinkhole.
7. (Optional) In the Packet Capture drop-down, select single-packet to capture the first
packet of the session or extended-capture to set between 1-50 packets. You can then
use the packet captures for further analysis.
8. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your
convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to

Advanced DNS Security Administration 31 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this
address through content updates.

Sinkhole forges a response to a DNS query for domains that match the DNS
category configured for a sinkhole action to the specified sinkhole server, to
assist in identifying compromised hosts. When the default sinkhole FQDN
(sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record
as a response to the client, with the expectation that an internal DNS server will
resolve the CNAME record, allowing malicious communications from the client
to the configured sinkhole server to be logged and readily identifiable. However,
if clients are in networks without an internal DNS server, or are using software
or tools that cannot be properly resolve a CNAME into an A record response, the
DNS request is dropped, resulting in incomplete traffic log details that are crucial
for threat analysis. In these instances, you should use the following sinkhole IP
address: (72.5.65.111).

STEP 5 | Attach the Anti-Spyware profile to a Security policy rule.

Advanced DNS Security Administration 32 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 6 | Test that the policy action is enforced.

1. Access the DNS Security test domains to verify that the policy action for a given threat
type is being enforced.
2. To monitor the activity on the firewall:
1. View the threat Activity and search for the URL test domain tand Blocked Activity for
the domain you accessed.
2. Select Monitor > Logs > Threat and filter by (action eq sinkhole) to view logs
on sinkholed domains.
3. For more monitoring options, see Monitor DNS Security Subscription Services

STEP 8 | Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

Advanced DNS Security Administration 33 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Enable Advanced DNS Security

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Manager) Advanced DNS Security License (for
• NGFW (Managed by PAN-OS or Panorama) enhanced feature support)

• VM-Series Advanced Threat Prevention or Threat

Prevention License
• CN-Series

Advanced DNS Security supplements your existing DNS Security configuration to provide
additional protection against DNS hijacking by inspecting changes to DNS responses. You should
have fully configured DNS Security settings before proceeding with this step.
To enable Advanced DNS Security, you must create (or modify) an Anti-Spyware security profile
to access the Advanced DNS Security service, configure the log severity and policy settings for
the DNS signature category (or categories), and then attach the profile to a security policy rule.
• PAN-OS 11.2 and later

Enable Advanced DNS Security (PAN-OS 11.2 and Later)

Palo Alto Networks recommends enabling your DNS Security functionality prior to setting up
Advanced DNS Security.
STEP 1 | Log in to the NGFW.

STEP 2 | Update the content release version to 8832 or later.

Advanced DNS Security Administration 34 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 3 | To prevent access to known and unknown malicious domains using Advanced DNS Security,
you must have an active Advanced DNS Security license. This should only be installed after
upgrading to PAN-OS 11.2.

Advanced DNS Security supports a licensing model that subsumes DNS Security
functionality into the Advanced DNS Security license when installed on a previously
unlicensed firewall. If you upgrade from a firewall with an existing DNS Security
license, entries indicating the presence of separate DNS Security and Advanced
DNS Security licenses are displayed. In this instance, the DNS Security license is
a passive entry and all DNS Security and Advanced DNS Security functionality is
conferred through the Advanced DNS License, including the relevant expiration date.
Firewalls without a previously installed DNS Security license show an Advanced DNS
Security license, however, it provides both DNS Security and Advanced DNS Security
functionality.
Consequently, if you downgrade from a PAN-OS release operating an Advanced DNS
Security license to a release that does not support Advanced DNS Security, the firewall
continues to display and confer DNS Security functionality through the Advanced DNS
Security license, however, it is limited to base DNS Security features.

To verify subscriptions for which you have currently-active licenses, select Device > Licenses
and verify that the appropriate licenses are available and have not expired.

Advanced DNS Security Administration 35 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 4 | Update or create a new Anti-Spyware Security profile to enable real-time Advanced DNS
Security queries. Typically, this is your existing Anti-Spyware security profile used for the
DNS Security configuration.

1. Select an existing Anti-Spyware security profile or Add a new one (Objects > Security
Profiles > Anti-Spyware).
2. Select your Anti-Spyware security profile and then go to DNS Policies.
3. For each Advanced DNS Security domain category, specify a Log Severity and Policy Action
to take when a domain type is detected using a corresponding analysis engine. There are
currently two analysis engines available: DNS Misconfiguration Domains and Hijacking
Domains.
Policy Action Options:
• allow—The DNS query is allowed.

You can configure the firewall to generate an alert when the applicable
domain type is detected by setting the action to allow and the log severity to
informational.
• block—The DNS query is blocked.
• sinkhole—Forges a DNS response for a DNS query targeting a detected malicious
domain. This directs the resolution of the malicious domain name to a specific IP
address (referred to as the Sinkhole IP), which is embedded as the response. The default

Advanced DNS Security Administration 36 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can
automatically refresh this IP address through content updates.
Log Severity Options:
• none—The event does not have an associated log severity level.
• low—Warning-level threats that have very little impact on an organization's
infrastructure. They usually require local or physical system access and may often result
in victim privacy or DoS issues and information leakage.
• informational—Suspicious events that do not pose an immediate threat, but that are
reported to call attention to deeper problems that could possibly exist.
• medium—Minor threats in which impact is minimized, such as DoS attacks that do not
compromise the target or exploits that require an attacker to reside on the same LAN as
the victim, affect only non-standard configurations or obscure applications, or provide
very limited access.
• high—Threats that have the ability to become critical but have mitigating factors; for
example, they may be difficult to exploit, do not result in elevated privileges, or do not
have a large victim pool.
• critical—Serious threats, such as those that affect default installations of widely deployed
software, result in root compromise of servers, and the exploit code is widely available
to attackers. The attacker usually does not need any special authentication credentials or
knowledge about the individual victims and the target does not need to be manipulated
into performing any special functions.
4. Click OK to exit the Anti-Spyware Security Profile configuration dialog and Commit your
changes.

STEP 5 | (Optional) Specify any public-facing parent domains within your organization that you want
Advanced DNS Security to analyze and monitor for the presence of misconfigured domains.
Misconfigured domains are inadvertently created by domain owners who point alias records
to third party domains using CNAME, MX, NS record types, using entries that are no longer

Advanced DNS Security Administration 37 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

valid, allowing an attacker to take over the domain by registering the expired or unused
domains.

TLDs (top-level domains) and root level domains cannot be added to the DNS Zone
Misconfigurations list.

1. Select an Anti-Spyware security profile (Objects > Security Profiles > Anti-Spyware) and go
to DNS Policies.
2. In the DNS Zone Misconfigurations section, add public-facing parent domains with an
optional description to assist you in identifying domain usage or ownership within your
organization.

Entries must have a "." contained in the domain using the following format (e.g.
paloaltonetworks.com), otherwise it gets parsed as a hostname, which is considered
a private domain.
3. Click OK to exit the Anti-Spyware Security Profile configuration dialog and Commit your
changes.

STEP 6 | (Optional) Configure the maximum Advanced DNS signature lookup timeout setting. When
this value is exceeded, the DNS response passes through without performing analysis using
Advanced DNS Security.

STEP 7 | (Optional [If you do not have the latest device certificate]) Install an updated firewall device
certificate used to authenticate to the Advanced Threat Prevention inline cloud analysis
service. Repeat for all firewalls enabled for inline cloud analysis.
If you have already installed an updated firewall device certificate as part of your IoT Security,
Device Telemetry, Advanced Threat Prevention, or Advanced URL Filtering onboarding
process, this step is not necessary.

STEP 8 | (Optional) Verify the status of your firewall connectivity to the Advanced DNS Security cloud
service.

STEP 9 | (Optional) Monitor activity on the firewall for DNS queries that have been detected using
Advanced DNS Security. DNS Security Categories analyzed using Advanced DNS Security
real-time analysis of the DNS response packet have the prefix ‘adns’ followed by the
category. For example, adns-dnsmisconfig, whereby ‘dnsmisconfig’ indicates the supported
DNS category type. If the DNS domain category was determined by analyzing the DNS
request packet, the specified category is displayed with the prefix ‘dns’ followed by the
category. For example, ‘dns-grayware.’
1. Access the Advanced DNS Security test domains to verify that the policy action for a
given threat type is being enforced.
2. Select Monitor > Logs > Threat. You can filter the logs based on the specific type of
Advanced DNS Security domain category, for example ( category-of-threatid

Advanced DNS Security Administration 38 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

eq adns-hijacking ), whereby the variable adns-hijacking indicates DNS

queries that have been categorized as a malicious DNS hijacking attempt by Advanced
DNS Security. The following Advanced DNS Security threat categories available in the
logs:
Advanced DNS Security Categories
• DNS Hijacking—adns-hijacking
DNS Hijacking domains have a threat ID of (UTID: 109,004,100).
• DNS Misconfiguration—adns-dnsmisconfig
DNS Misconfiguration domains have three threats IDs, which correspond to
three variants of DNS misconfiguration domains types: dnsmisconfig_zone
(UTID: 109,004,200), dnsmisconfig_zone_dangling (UTID: 109,004,201), and
dnsmisconfig_claimable_nx (UTID: 109,004,202). You can constrain the search
by cross-referencing a Threat-ID value that corresponds to a specific DNS
misconfiguration domain type. For example, ( category-of-threatid eq adns-
dnsmisconfig ) and (threatid eq 109004200), whereby 109004200 indicates the
Threat ID of a DNS misconfiguration domain that does not route traffic to an active
domain due to a DNS server configuration issue.
DNS Categories analyzed using Advanced DNS Security enhanced response analysis.

You must operate a firewall running PAN-OS 11.2 and later to take advantage
of enhanced Advanced DNS Security real-time analysis.

• DNS —adns-benign
• Malware Domains —adns-malware
• Command and Control Domains—adns-c2
• Phishing Domains—adns-phishing
• Dynamic DNS Hosted Domains—adns-ddns
• Newly Registered Domains—adns-new-domain
• Grayware Domains—adns-grayware
• Parked Domains—adns-parked
• Proxy Avoidance and Anonymizers—adns-proxy
• Ad Tracking Domains—adns-adtracking

If the DNS query does not complete within the specified timeout period for
Advanced DNS Security, the DNS Security categorization will be used, when
possible. In those instances, the legacy notation for the category is used, for
example, instead of adns-malware, it will be categorized as dns-malware,
indicating that the DNS Security categorization value was used.
3. Select a log entry to view the details of the DNS query.
4. The DNS Category is displayed under the Details pane of the detailed log view. In
addition, you can see other aspects of the threat, including the Threat ID, which
includes the origin domain, the specific threat category, and other associated

Advanced DNS Security Administration 39 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

characteristics, as well as the associated Q type, and R data using the following format:
hijacking:<FQDN>:<QTYPE>:<RDATA>, whereby <QTYPE> represents the DNS
resource record type and <RDATA> represents the hijacked IP Address.

Advanced DNS Security Administration 40 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 10 | (Optional) Retrieve a list of misconfigured domains and hijacked domains detected by the
Advanced DNS Security service. The misconfigured domains are based on the public-facing
parent domain entries added to DNS Zone Misconfigurations.

Misconfigured domain entries that are removed from your network are not
immediately reflected in the Advanced DNS Security dashboard statistics.

1. Use the credentials associated with your Palo Alto Networks support account and log in
to Strata Cloud Manager on the hub.
2. Select Dashboards > More Dashboards > DNS Security to open the DNS Security
dashboard.
3. From the DNS Security dashboard, refer to the following widgets:
• Misconfigured Domains—View a list of non-resolvable domains associated with
the user-specified public-facing parent domain(s). For each entry, there is a
misconfiguration reason and a traffic hit count based on the source IP.

• Hijacked Domains—View a list of hijacked domains as determined by Advanced DNS

Security. For each entry, there is a categorization reason and a traffic hit count based
on the source IP.

Advanced DNS Security Administration 41 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Configure DNS Security Over TLS

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

You can get visibility and control into DNS Security over TLS requests by decrypting the DNS
payload contained within the encrypted DNS request. The decrypted DNS payload can then
be processed using the security profile configuration containing your DNS policy settings. DNS
requests that have been determined to have originated from TLS sources have a source port of
853 in the threat logs.
• Strata Cloud Manager
• PAN-OS & Panorama

Configure DNS Security Over TLS (Strata Cloud Manager)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager application on the hub.

STEP 2 | Enable DNS Security is configured to inspect DNS requests. You can use your existing
security profile if you want to use the same DNS Policies settings for DNS Security over TLS
traffic.

STEP 3 | Create a decryption policy rule with an action to decrypt HTTPS traffic on port 853, which
includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more
information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in
the logs appear as conventional dns-base applications.

STEP 4 | (Optional) Search for activity on the firewall for decrypted TLS-encrypted DNS queries that
have been processed using DNS Security.
1. Select Activity > Log Viewer and select Threat logs. Use the query builder to filter
based on the application using dns-base and port 853 (which is exclusively used

Advanced DNS Security Administration 42 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

for DNS Security over TLS transactions), for example, app = 'dns-base' AND
source_port = 853.
2. Select a log entry to view the details of the detected DNS threat.
3. The Application should display dns-base in the General pane and the Port in the Source
pane of the detailed log view. Other relevant details about the threat are displayed in
their corresponding tabs.

Configure DNS Security Over TLS (NGFW (Managed by PAN-OS

or Panorama))
STEP 1 | Log in to the NGFW.

STEP 2 | Enable DNS Security is configured to inspect DNS requests. You can use your existing
security profile if you want to use the same DNS Policies settings for DNS Security over TLS
traffic.

STEP 3 | Create a decryption policy rule (similar to the example below) with an action to decrypt
HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the
Decryption Best Practices for more information). When DNS Security over TLS traffic
is decrypted, the resulting DNS requests in the logs appear as conventional dns-base
applications.

STEP 4 | (Optional) Search for activity on the firewall for decrypted TLS-encrypted DNS queries that
have been processed using DNS Security.
1. Select Monitor > Logs > Traffic and filter based on the application using dns-base and
port 853 (which is exclusively used for DNS Security over TLS transactions), for example,
( app eq dns-base ) and ( port.src eq 853 ).
2. Select a log entry to view the details of a detected DNS threat.
3. The Application should display dns-base in the General pane and the Port in the Source
pane of the detailed log view. Other relevant details about the threat are displayed in
their corresponding windows.

Advanced DNS Security Administration 43 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Configure DNS Security Over DoH

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

You can analyze and categorize the DNS payload contained within encrypted DNS traffic requests
to DNS hosts using HTTPS (DoH—[DNS-over-HTTPS]). If your organization currently blocks
all DoH requests as Palo Alto Networks recommends, you can transition away from that policy
as DNS Security now enables you extract the DNS hostname from the encrypted request and
apply your organization’s existing DNS Security policies. This allows you to safely access more
websites as support for DoH widens. DNS Security support for DoH is enabled by configuring
the firewall to decrypt the payload of DNS requests originating from a user-specified list of
DNS resolvers, providing support for a range of server options. The decrypted DNS payload
can then be processed using the Anti-spyware profile configuration containing your DNS policy
configuration. DNS requests that have been determined to be DoH are labeled as dns-over-https
in the traffic logs.
• Strata Cloud Manager
• PAN-OS 11.0 and later

Configure DNS Security Over DoH (Strata Cloud Manager)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager on the hub.

STEP 2 | Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic
to/from (you will need the DNS server URL(s)).

STEP 3 | Create a Decryption Policy Rule that references the custom URL category list that you
created in the previous step.

STEP 4 | Update or create a new anti-spyware security profile used to inspect DoH requests.

STEP 5 | Create or update a security policy rule and reference a DNS Security profile and a custom
URL category list (Manage > Configuration > PAN-OS and Prisma Access > Security
Services > URL Access Management) containing the approved list of DoH servers.

Advanced DNS Security Administration 44 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 6 | Create a block policy to decrypt HTTPS traffic and block all remaining unsanctioned DoH
traffic that is not explicitly allowed by the custom URL category list (referenced in step 5) by
using the App-ID: dns-over-https and the following URL category: encrypted-dns.

If you already have an existing block policy to block DoH traffic, verify that the rule
is placed below the previous security policy rule used to match with specific DoH
resolvers listed in a custom URL category list object.

STEP 7 | (Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have
been processed using DNS Security.
1. Select Activity > Logs > Log Viewer and select Threat.
2. Submit a log query based on the application, using dns-over-https, for example, app =
'dns-over-https'.
3. Select a log entry to view the details of a detected DNS threat that uses DoH.
4. The threat Application is displayed in the General pane of the detailed log view. Other
relevant details about the threat are displayed in their corresponding windows.

Configure DNS Security Over DoH (PAN-OS 11.0 and Later)

STEP 1 | Log in to the PAN-OS web interface.

STEP 2 | Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic
to/from (you will need the DNS server URL(s)).

STEP 3 | Create a Decryption Policy Rule that references the custom URL category list that you
created in the previous step.

STEP 4 | Update or create a new anti-spyware security profile used to inspect DoH requests.

STEP 5 | Create or update a security policy rule and reference an anti-spyware profile and a custom
URL category list (Objects > Custom Objects > URL Category) containing the approved list
of DoH servers.

Advanced DNS Security Administration 45 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 7 | (Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have
been processed using DNS Security.
1. Select Monitor > Logs > Traffic and filter based on the application using dns-over-https,
for example, ( app eq dns-over-https ).
2. Select a log entry to view the details of a detected DNS threat.
3. The Application should display dns-over-https in the General pane of the detailed log
view, indicating that this is DoH traffic that has been processed using DNS Security.
Other relevant details about the threat are displayed in their corresponding windows.

Advanced DNS Security Administration 46 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Create Domain Exceptions and Allow | Block Lists

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

DNS Security creates threat signatures for domains that have been analyzed by the DNS Security
service. For these known domains, the signatures are referenced when a DNS query is received.
In some cases, it might be possible that the signature has incorrectly categorized a domain as a
threat, due to certain features or qualities present in the domain. In such circumstances, you can
add signature exceptions to bypass these false-positives. If there are known safe domains that are
categorized as malicious, such as internal domains, you can add a list of domains that will bypass
any DNS analysis. If your organization uses third party threat feeds as part of a comprehensive
threat intelligence solution, you can also reference those in the form of external dynamic lists
(EDLs) in your DNS Security profile.
• Strata Cloud Manager
• PAN-OS & Panorama

Create Domain Exceptions and Allow | Block Lists (Strata Cloud

Manager)
STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager on the hub.

Advanced DNS Security Administration 47 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 2 | Add domain overrides in cases where false-positives occur.

1. Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS
Security and select a DNS Security profile to modify.
2. Add Override or Delete to modify the domain list entries as necessary. Each additional
entry requires the domain and a description.

3. Click OK to save your modified DNS Security profile.

STEP 3 | Reference an external dynamic list (EDL) as part of your DNS Security profile to import third
party threat feeds.
1. Create an domain-based external dynamic list (Manage > Configuration > NGFW and
Prisma Access > Objects > External Dynamic Lists). For more information about EDLs,
see External Dynamic List.
2. Select Manage > Configuration > NGFW and Prisma Access > Security Services > DNS
Security.
3. In the External Dynamic Lists panel, select a domain list EDL and provide the Policy
Action and Packet Capture settings. In Apply to Profiles, select the DNS Security profile
for which you want the EDL domain list to apply to.
4. Save your changes when you have finished making your updates.

Create Domain Exceptions and Allow | Block Lists (NGFW

(Managed by PAN-OS or Panorama))
PAN-OS 10.0 and later releases provide an additional option to explicitly add allowable domains
through the Anti-Spyware security profile. You can add domain/FQDN entries for approved
domain sources if they trigger a false-positive response from DNS Security.
• PAN-OS 10.0 and later
• PAN-OS 9.1

Create Domain Exceptions and Allow | Block Lists (PAN-OS 10.0 and later)

Log in to the NGFW.

Advanced DNS Security Administration 48 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Add domain signature exceptions in cases where false-positives occur.

1. Select Objects > Security Profiles > Anti-Spyware.
2. Select a profile to modify.
3. Add or modify the Anti-Spyware profile from which you want to exclude the threat
signature, and select DNS Exceptions.
4. Search for a DNS signature to exclude by entering the name or FQDN.
5. Select the checkbox for each Threat ID of the DNS signature that you want to exclude
from enforcement.

6. Click OK to save your new or modified Anti-Spyware profile.

Advanced DNS Security Administration 49 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
1. Select Objects > Security Profiles > Anti-Spyware.
2. Select a profile to modify.
3. Add or modify the Anti-Spyware profile from which you want to exclude the threat
signature, and select DNS Exceptions.
4. To Add a new FQDN allow list entry, provide the DNS domain or FQDN location and a
description.

5. Click OK to save your new or modified Anti-Spyware profile.

Create Domain Exceptions and Allow | Block Lists (PAN-OS 9.1)

Allow and block lists are not available in PAN-OS 9.1.

Log in to the NGFW.

Advanced DNS Security Administration 50 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Add domain signature exceptions in cases where false-positives occur.

1. Select Objects > Security Profiles > Anti-Spyware.
2. Select a profile to modify.
3. Add or modify the Anti-Spyware profile from which you want to exclude the threat
signature, and select DNS Signatures > Exceptions.
4. Search for a DNS signature to exclude by entering the name or FQDN.
5. Select the DNS Threat ID for the DNS signature that you want to exclude from
enforcement.

6. Click OK to save your new or modified Anti-Spyware profile.

Advanced DNS Security Administration 51 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Test Domains
Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

Palo Alto Networks provides the following DNS Security test domains to validate your policy
configuration based on the DNS category.

Advanced DNS Security Administration 52 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 1 | Access the following test domains to verify that the policy action for a given threat type is
being enforced:
DNS Security
• C2—test-c2.testpanw.com
• DNS Tunneling—test-dnstun.testpanw.com
• DGA—test-dga.testpanw.com
• Dynamic DNS*—test-ddns.testpanw.com
• Malware—test-malware.testpanw.com
• Newly Registered Domains*—test-nrd.testpanw.com
• Phishing*—test-phishing.testpanw.com
• Grayware*—test-grayware.testpanw.com
• Parked*—test-parked.testpanw.com
• Proxy Avoidance and Anonymizers*—test-proxy.testpanw.com
• Fast Flux*—test-fastflux.testpanw.com
• Malicious NRD*—test-malicious-nrd.testpanw.com
• NXNS Attack*—test-nxns.testpanw.com
• Dangling*—test-dangling-domain.testpanw.com
• DNS Rebinding*—test-dns-rebinding.testpanw.com
• DNS Infiltration*—test-dns-infiltration.testpanw.com
• Wildcard Abuse*—test-wildcard-abuse.testpanw.com
• Strategically-Aged*—test-strategically-aged.testpanw.com
• Compromised DNS*—test-compromised-dns.testpanw.com
• Ad Tracking*—test-adtracking.testpanw.com
• CNAME Cloaking*—test-cname-cloaking.testpanw.com
• Ransomware*—test-ransomware.testpanw.com
• Stockpile*—test-stockpile-domain.testpanw.com
• Cybersquatting*—test-squatting.testpanw.com
• Subdomain Reputation*—test-subdomain-reputation.testpanw.com

The test domains marked with an * are not supported in PAN-OS 9.1.

Advanced DNS Security

Access the following test domain to verify that the policy action for a given threat type is being
enforced:
• DNS Misconfiguration Domain (Claimable)—http://test-dnsmisconfig-claimable-
nx.testpanw.com

Advanced DNS Security Administration 53 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

The following test domain test cases should be added to your DNS server zone file of
testpanw.com before accessing the domain. These test cases match against the Advanced DNS
Security signatures and will generate the appropriate logs. Verify that the policy action for a
given threat type is being enforced.
• 1: DNS Misconfiguration Domain (Zone Dangling) Test Cases
Table

Host Record Record Data

Type

*.test-dnsmisconfig-zone- A 1.2.3.4
dangling.testpanw.com

• 2: Hijacking Domain Test Cases

Table

Host Record Record Data

Type

test-ipv4.hijacking.testpanw.com A 1.2.3.5

*.test-ipv4- A 1.2.3.6
wildcard.hijacking.testpanw.com

test-ipv6.hijacking.testpanw.com AAAA 2607:f8b0:4005:80d::2005

test-cname- CNAME 1.test-cname-

rrname.hijacking.testpanw.com wc.hijacking.testpanw.com

test-cname-rrname- CNAME 1.test-cname-

wc.hijacking.testpanw.com wildcard-1.hijacking.testpanw.com

*.test-cname-rrname-sub- CNAME 2.test-cname-

wc.hijacking.testpanw.com wc.hijacking.testpanw.com

test-ns-rrname.hijacking.testpanw.com NS test-ns.hijacking.testpanw.com

test-ns-rrname-rdata- NS 1.test-ns-wc.hijacking.testpanw.com
wc.hijacking.testpanw.com

1.test-ns-rrname-sub- NS test-ns.hijacking.testpanw.com
wc.hijacking.testpanw.com

test-rrname-wc.hijacking.testpanw.com NS test-ns-2.hijacking.testpanw.com

For NS records, you must use the following option:"dig +trace NS"

Advanced DNS Security Administration 54 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 2 | Verify that the DNS query request has been processed by DNS Security by monitoring the
activity.

Advanced DNS Security Administration 55 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Test Connectivity to the DNS Security Cloud Services

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Manager) Advanced DNS Security License (for
• NGFW (Managed by PAN-OS or Panorama) enhanced feature support) or DNS
Security License
• VM-Series
Advanced Threat Prevention or Threat
• CN-Series Prevention License

DNS Security
Verify your firewall connectivity to the DNS Security service. If you cannot reach the service,
verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
STEP 1 | Access the firewall CLI.

STEP 2 | Use the following CLI command to verify your firewall’s connection availability to the DNS
Security service.

show dns-proxy dns-signature info

For example:

show dns-proxy dns-signture info

Cloud URL: dns.service.paloaltonetworks.com:443

Telemetry URL: io.dns.service.paloaltonetworks.com:443

Last Result: None

Last Server Address:

Parameter Exchange: Interval 300 sec

Allow List Refresh: Interval 43200 sec

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 0

If your firewall has an active connection to the DNS Security service, the server details display
in the response output.

Advanced DNS Security Administration 56 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

STEP 3 | Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature
category.
Use the following CLI command on the firewall to review the details about a domain:

test dns-proxy dns-signature fqdn

For example:

test dns-proxy dns-signature fqdn www.yahoo.com

DNS Signature Query [ www.yahoo.com ]

Completed in 178 ms

DNS Signature Response

Entries: 2

Domain Category GTID

TTL
-----------------------------------------------------------------------------
*.yahoo.com Benign 0
86400
www.yahoo.com Benign 0
3600

Advanced DNS Security

Verify your firewall connectivity to the Advanced DNS Security service. If you
cannot reach the service, verify that the following domain is not being blocked: adv-
dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS
Security server, you may need to verify the specific regional domain is also unblocked.
Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
Use the following CLI command on the firewall to view the connection status.

show ctd-agent status security-client

For example:

show ctd-agent status security-client

...
Security Client ADNS(1)
Current cloud server: qa.adv-
dns.service.paloaltonetworks.com:443
Cloud connection: connected
Config:
Number of gRPC connections: 2, Number of workers: 8

Advanced DNS Security Administration 57 ©2024 Palo Alto Networks, Inc.

Configure DNS Security Subscription Services

Debug level: 2, Insecure connection: false, Cert

valid: true, Key valid: true, CA count: 306
Maximum number of workers: 12
Maximum number of sessions a worker should process
before reconnect: 10240
Maximum number of messages per worker: 0
Skip cert verify: false
Grpc Connection Status:
State Ready (3), last err rpc error: code =
Unavailable desc = unexpected HTTP status code received from
server: 502 (Bad Gateway); transport: received unexpected content-
type "text/html"
Pool state: Ready (2)
last update: 2024-01-24 11:15:00.549591469
-0800 PST m=+1197474.129493596
last connection retry: 2024-01-23
00:03:09.093756623 -0800 PST m=+1070762.673658768
last pool close: 2024-01-22 14:15:50.36062031
-0800 PST m=+1035523.940522446
Security Client AdnsTelemetry(2)
Current cloud server: io-qa.adv-
dns.service.paloaltonetworks.com:443
Cloud connection: connected
Config:
Number of gRPC connections: 2, Number of workers: 8
Debug level: 2, Insecure connection: false, Cert
valid: true, Key valid: true, CA count: 306
Maximum number of workers: 12
Maximum number of sessions a worker should process
before reconnect: 10240
Maximum number of messages per worker: 0
Skip cert verify: false
Grpc Connection Status:
State Ready (3), last err rpc error: code =
Internal desc = stream terminated by RST_STREAM with error code:
PROTOCOL_ERROR
Pool state: Ready (2)
last update: 2024-01-24 11:25:58.340198656
-0800 PST m=+1198131.920100772
last connection retry: 2024-01-23
00:03:36.78141425 -0800 PST m=+1070790.361316421
last pool close: 2024-01-22 14:24:26.954340157
-0800 PST m=+1036040.534242289
...

Verify that the cloud connection status for Security Client AdnsTelemetry(2) and
Security Client ADNS(1) are showing active connections.

CLI output shortened for brevity.

If you are unable to connect to the Advanced DNS Security cloud service, verify that the
Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.

Configure DNS Security Subscription Services

Configure Lookup Timeout

Where Can I Use This? What Do I Need?

DNS Security
If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity
issues, the request, including all subsequent DNS responses, are passed through. You can check
the average latency to verify that requests fall within the configured period. If the average latency
exceeds the configured period, consider updating the setting to a value that is higher than the
average latency to prevent requests from timing out.
STEP 1 | In the CLI, issue the following command to view the average latency.

show dns-proxy dns-signature

counters

The default timeout is 100 milliseconds.

STEP 2 | Scroll down through the output to the latency section under the Signature query API heading
and verify that the average latency falls within the defined timeout period. This latency
indicates the amount of time it takes, on average, to retrieve a signature verdict from the
DNS security service. Additional latency statistics for various latency periods can be found
below the averages.

Signature query API:

.
.
.
[latency ] :
max 1870 (ms) min 16(ms) avg 27(ms)
50 or less : 47246
100 or less : 113
200 or less : 25
400 or less : 15
else : 21

STEP 3 | If the average latency is consistency above the default timeout value, you can raise the
setting so that the requests fall within a given period. Select Device > Content-ID and
update the Realtime Signature Lookup setting.

STEP 4 | Commit the changes.

Configure DNS Security Subscription Services

Advanced DNS Security

STEP 1 | View the record of round trip times (in milliseconds) for Advanced DNS Security requests
using the following debug CLI command. These are distributed into latency brackets from
0ms to 450ms. You can use this to determine the ideal max latency setting for your NGFW.

admin@PA-VM debug dataplane show ctd feature-forward stats

In the response output, navigate to the section PAN_CTDF_DETECT_SERVICE_ADNS.

PAN_CTDF_DETECT_SERVICE_ADNS
cli_timeout: 1
req_total: 2
req_timed_out: 0
Hold:
adns rtt>=0ms: 0
adns rtt>=50ms: 2
adns rtt>=100ms: 0
adns rtt>=150ms: 0
adns rtt>=200ms: 0
adns rtt>=250ms: 0
adns rtt>=300ms: 0
adns rtt>=350ms: 0
adns rtt>=400ms: 0
adns rtt>=450ms: 0

STEP 2 | Configure the maximum Advanced DNS signature lookup timeout setting. When this value
is exceeded, the DNS response passes through without performing analysis using Advanced
DNS Security. DNS signatures (and their associated policies) that are delivered through
regular content updates or are part of configured EDLs (external dynamic lists) or DNS
exceptions are still applied.

1. Select Device > Setup > Content-ID > Advanced DNS Security.
2. Specify an updated maximum Advanced DNS signature lookup timeout setting in
milliseconds. The default is 100ms and is the recommended setting.
3. Click OK to confirm your changes.
Alternatively, you can use the following CLI command to configure the Advanced DNS
Security timeout value. You can set a value of 100-15,000ms in 100ms increments. The
default value is 100ms and is the recommended setting.

admin@PA-VM#set deviceconfig setting adns-setting max-latency

<timeout_value_in_milliseconds>

Configure DNS Security Subscription Services

For example:

admin@PA-VM# set deviceconfig setting adns-setting max-latency 500

You can check the current timeout configuration using the following CLI command (refer to
the max-latency entry of the output).

admin@PA-VM show config pushed-template

...
}
deviceconfig {
setting {
dns {
dns-cloud-server dns-qa.service.paloaltonetworks.com;
}
adns-setting {
max-latency 100;
}
}
}
...

Configure DNS Security Subscription Services

Bypass DNS Security Subscriptions Services

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

DNS Security queries can be bypassed in cases where latency issues or other network issues are
present.

In cases where false-positives occur, Palo Alto Networks recommends creating specific
exceptions instead of bypassing DNS Security queries.

• Cloud Management
• PAN-OS & Panorama

Bypass DNS Security Subscriptions Services (Strata Cloud

Manager)
STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager on the hub.

STEP 2 | Go to Manage > Configuration > NGFW and Prisma Access > Security Services > DNS
Security and select the relevant DNS Security profile.

STEP 3 | Configure the DNS Security signature policy settings to bypass DNS Security queries. For
each DNS category, set the Action to allow and Packet Capture to disabled. In the following,
the DNS Security categories have been configured to bypass DNS Security queries.

Configure DNS Security Subscription Services

STEP 4 | In the Overrides section, verify that there are no entries present; if necessary, delete all
Domain/FQDN overrides.

STEP 5 | Click OK to save the DNS Security profile.

Bypass DNS Security Subscriptions Services (NGFW (Managed by

PAN-OS or Panorama))
PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables
you to define separate policy actions as well as a log severity level for a given signature source.
This requires you to configure both the policy action and the log severity for each available DNS
signature source to bypass DNS Security. Additionally, you must also remove the DNS exceptions
entries for the DNS Security to be fully bypassed. On PAN-OS 9.1, you can simply set the policy
action for Palo Alto Networks DNS Security to an action of allow.
• PAN-OS 10.0 and later
• PAN-OS 9.1

Bypass DNS Security Subscriptions Services (PAN-OS 10.0 and later)

STEP 1 | Log in to the NGFW.

Configure DNS Security Subscription Services

STEP 2 | Configure the DNS Security signature policy settings to bypass DNS Security queries.
1. Select Objects > Security Profiles > Anti-Spyware.
2. Select the profile containing your active DNS Security policy settings.
3. Select the DNS Policies tab.
4. For each DNS category, set the log severity to none, the policy action to allow, and
packet capture to disable. In the following, the DNS Security categories have been
configured to bypass DNS Security queries.

STEP 3 | Select DNS Exceptions and remove all DNS Domain/FQDN Allow List entries.

STEP 4 | Click OK to save the Anti-Spyware profile.

Bypass DNS Security Subscriptions Services (PAN-OS 9.1)

STEP 1 | Log in to the NGFW.

Configure DNS Security Subscription Services

STEP 2 | Configure DNS Security signature policy settings to bypass DNS Security look-ups.
1. Select Objects > Security Profiles > Anti-Spyware.
2. Select the profile containing your active DNS Security policy settings.
3. Select the DNS Signatures tab.
4. Under Policies & Settings, set the policy action for Palo Alto Networks DNS Security to
an action of allow.

STEP 3 | Click OK to save the Anti-Spyware profile.

Configure DNS Security Subscription Services

Monitor DNS Security
Subscription Services
Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

Palo Alto Networks provides several options to monitor DNS Security and Advanced DNS
Security activity to accommodate intelligence retrieval for a range of products that rely on DNS
Security subscription services and the associated traffic data. Depending on the product platform,
you can access high-level dashboards that provide DNS request statistics and usage trends,
including context into network activity, to specific DNS request details from specific users in the
form of logging data.
You can also view how the DNS Security subscription services integrate with other Palo Alto
Networks applications and security services to protect your organization from threats, as well
as get a high-level view of the overall operational health of your deployment, through the Strata
Cloud Manager Command Center. The command center functions as your NetSec homepage and
provides a comprehensive summary of the health, security, and efficiency of your network, in an
interactive visual dashboard with multiple data facets for easy, at-a-glace assessment.
For more specific details about DNS Security subscription service operations, the dashboard
provides a view into your networks DNS query data as well as the ability to drill down into various
DNS trends. Each dashboard card provides a unique view into how DNS requests and responses
are processed and categorized in a graphical report format. This allows you to see, at a glance, a
high-level view of your organization’s DNS usage statistics. It also provides a list of misconfigured
domains and hijacked domains detected by the Advanced DNS Security service, enabling you to
correct and rectify any DNS configuration errors. The misconfigured domains are based on the
public-facing parent domain entries added to DNS Zone Misconfigurations list.
You can also view the logs that are automatically generated when DNS requests are processed.
These event files are time-stamped and provide an audit trail when configured to do, based on
the DNS category log configuration. DNS log entries can contain various details about the DNS
request, including the nature of the DNS threat posed by the associated domain, as well as action
taken when the threat was detected.
Palo Alto Networks provides several methods to monitor the DNS Security activity based on your
platform.
• The Strata Cloud Manager Command Center

67
Monitor DNS Security Subscription Services

• View DNS Security Dashboard

• View DNS Security logs for the DNS queries that passed through my network

Monitor DNS Security Subscription Services

View DNS Security Dashboard

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

The DNS Security dashboard shows the statistics data generated by the Advanced DNS Security
and DNS Security subscription services in a fast, visual assessment report of your organization’s
DNS usage. View and drill down into various DNS trends discovered in your network. Each
dashboard card provides a unique view into how DNS requests are processed and categorized.
Select dashboard cards to change the context of the dashboard or view more information about a
specific trend, domain, or statistic.
The DNS Security dashboard is available on Prisma Access and AIOps for NGFW. You can interact
with the DNS Security Dashboard Cards to alter the context of the dashboard or view more
information about a specific trend, domain, or statistic. You can also customize the formatting to
display current trends or historical data, across relevant data points.
• Strata Cloud Manager
• AIOps for NGFW Free

DNS Security Dashboard Cards

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

The cards populating the DNS Security dashboard are interactive and allows you to view
additional details or pivot to a list of specific requests, events, and domains, as it pertains to how
the content is shown.

Monitor DNS Security Subscription Services

The following list provides an overview of the DNS Security dashboard cards:

Card Name Description

DNS Requests Displays the total number of DNS requests that have been
processed by DNS Security.

• The line chart diagrams the number of DNS requests based

on the user-defined time range. Specifying a custom time
range updates the line chart accordingly.
• The DNS category and action filters do not alter the card
contents.

Malicious DNS Requests Displays a stacked bar graph showing DNS requests that have
been categorized based on the currently available types that are
considered malicious. The total number is shown in the upper-
left while a breakdown of categorical variables are indicated
below.

• The line chart diagrams the number of DNS requests based

on the user-defined time range. Specifying a custom time
range updates the line chart accordingly.
• The DNS category and action filters do not alter the card
contents.

Subscription Displays the number of devices in your network with an active

DNS Security subscription. A percentage of devices that are not

Monitor DNS Security Subscription Services

Card Name Description

equipped with DNS Security or with an elapsed subscription is
also shown with a link to a complete list.

• You can select See a List of Devices to view a complete list.

• This card shows a snapshot of the current subscription status
—the filter options do not have any impact.

High-Risk DNS Category Displays a trend chart showing a breakdown of the DNS
Trend requests based on the DNS category or the action applied to the
DNS request over the observable time range.

• Select between a DNS category or action trend chart using

the radio button.
• Hover over a segment on the steamgraph representing a data
type to isolate and open a popup showing the number of DNS
requests or type of action taken.
• Specifying a custom time range updates the trend chart
accordingly.
• The DNS category and action filters highlight the selected
variable in the card, but does not remove it from the chart.

DNS Category Distribution Displays a flow diagram that provides a visualization of the
Across Actions distributions of actions taken for high-risk DNS categories. A

Monitor DNS Security Subscription Services

Card Name Description

secondary table shows the actions taken for lower-priority DNS
categories.
• Hover over a specific flow to open a popup showing the
number of actions taken of the specified type.
Specifying a custom time range updates the flow diagram
accordingly.
• The DNS category and action filters do not alter the card
contents.

• The top domains list is generated based on the filter settings

applied at the top of the dashboard. Widgets that affect
the overall page settings also determine which domains are
shown.
• Hover over a bar to view usage statistics.
• Click on a domain to view DNS analysis details.

Domains Displays the number of domains seen in your network, within

your industry, other industries, as well as the total number,
based on the selected DNS category. Allows you to compare
your organization’s DNS usage to other organizations within the
industry as well as against globally collected data, including a list
of domain requests found exclusively in your network.

Monitor DNS Security Subscription Services

Card Name Description

• The domains listed in this card include all DNS categories
regardless of the DNS category and action filters. Only the
time range updates the content of card.

Top 10 Domains Provides a list of the top 10 most commonly requested domains
from your network along with the DNS category and the action
taken. You can view more details and the relevant logs for
a domain by clicking the appropriate icon. Select View All
DNS Requests for a complete list of domains that have been
accessed.

• The domains listed in this card include all DNS categories

regardless of the DNS category and action filters. Only the
time range updates the content of card.
• Click on a domain to view DNS analysis details.

DNS Resolvers Provides two lists showing the most resolved malicious domains
and the least resolved domains in your network.

Monitor DNS Security Subscription Services

Card Name Description

• Click on a DNS resolver to view DNS analysis details.

Misconfigured Domains Provides a list of non-resolvable domains associated with the

(Advanced DNS Security) user specified public-facing parent domain(s). For each entry,
there is a misconfiguration reason and a traffic hit count based
on the source IP.

Hijacked Domains Provides a list of hijacked domains as determined by Advanced

(Advanced DNS Security) DNS Security. For each entry, there is a categorization reason
and a traffic hit count based on the source IP.

Monitor DNS Security Subscription Services

Card Name Description

View DNS Security Dashboard (Strata Cloud Manager)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
Strata Cloud Manager on the hub.

STEP 2 | Select Dashboards > More Dashboards > DNS Security to open the DNS Security
dashboard.

STEP 3 | From the dashboard, configure your filter options using the available drop downs.
1. Filter by time range—Select from Last hour, Last 24 hours, Last 7 days, or Last 30 days
to display data for a specific time-frame.
2. Filter by DNS category—Select from Select All, MalwareCommand and Control,
Phishing, Grayware, Exceptions List, Newly Registered, Dynamic DNS, Proxy, Parked,
Benign, Ad Track to filter the data set based on a DNS type.

The Exceptions List category is a list maintained by Palo Alto Networks of

explicitly allowable domains based on metrics from PAN-DB and Alexa. These
allow list domains are frequently accessed and known to be free from malicious
content.
3. Filter by DNS action—Select from Allow, Block, and Sinkhole to filter based on the
action taken on a DNS query based on your DNS Security profile action settings.

STEP 4 | Optionally, you can also Download, Share, and Schedule Activity Reports.

STEP 5 | You can re-contextualize, interact, and pivot from the data provided by the dashboard cards.
For an overview of each of the DNS Security dashboard cards, see DNS Security Dashboard
cards.

View DNS Security Dashboard (AIOps for NGFW Free)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the AIOps for NGFW Free application on the hub.

Monitor DNS Security Subscription Services

STEP 2 | Select Dashboards > More Dashboards > DNS Security to open the DNS Security
dashboard.

STEP 3 | From the dashboard, configure your filter options using the available drop downs.

1. Filter by time range—Select from Last hour, Last 24 hours, Last 7 days, or Last 30 days
to display data for a specific time-frame.
2. Filter by DNS category—Select from C2 (DGA, Tunneling, other C2), Malware, Newly
Registered Domain, Phishing, Dynamic DNS, Allow List, Benign, Grayware, Parked,
Proxy, and Any Category, to filter the data set based on a DNS type.

The Allow List category is a list maintained by Palo Alto Networks of explicitly
allowable domains based on metrics from PAN-DB and Alexa. These allow list
domains are frequently accessed and known to be free from malicious content.
3. Filter by DNS action—Select from Allow, Block, and Sinkhole to filter based on the
action taken on a DNS query based on your DNS Security profile action settings.

STEP 4 | Optionally, you can also Download, Share, and Schedule Activity Reports.

STEP 5 | You can re-contextualize, interact, and pivot from the data provided by the dashboard cards.
For an overview of each of the DNS Security dashboard cards, see DNS Security Dashboard
cards.

Monitor DNS Security Subscription Services

View DNS Security Logs

Where Can I Use This? What Do I Need?

• Prisma Access (Managed by Strata Cloud Advanced DNS Security License (for
Manager) enhanced feature support) or DNS
• Prisma Access (Managed by Panorama) Security License

• NGFW (Managed by Strata Cloud Manager) Advanced Threat Prevention or Threat

Prevention License
• NGFW (Managed by PAN-OS or Panorama)
• VM-Series
• CN-Series

You can browse, search, and view DNS Security logs that are automatically generated when DNS
Security encounters a qualifying event. Typically, this includes any domain category that DNS
Security analyzes unless it is specifically configured with a log severity level of none. Log entries
provide numerous details about the event, including the threat level and, if applicable, the nature
of threat.
DNS Security logs are accessible directly on the firewall or through Strata Logging Service-based
log viewers (AIOps for NGFW Free, Cloud Management, Strata Logging Service, etc). While the
firewall allows you to access malicious threat log entries that are generated when users make
DNS queries, benign DNS requests are not recorded. DNS Security data is also forwarded to
Strata Logging Service through log forwarding (as threat logs) and DNS Security telemetry (as
DNS Security logs), which are then referenced by various activity log viewer applications. DNS
Security telemetry operates with minimal overhead, which limits the amount of data sent to
Strata Logging Service; as a result, only a subset of DNS queries are forwarded to Strata Logging
Service as DNS Security log entries, regardless of the severity level, threat type, or category. The
threat logs for malicious DNS requests that are forwarded to Strata Logging Service using log
forwarding are available in their entirety. As a result, Palo Alto Networks recommends viewing
logs for malicious DNS requests as threat logs instead of DNS Security logs.
• Strata Cloud Manager
• PAN-OS & Panorama
• AIOps for NGFW Free
• Strata Logging Service

View DNS Security Logs (Strata Cloud Manager)

Benign DNS queries that have been analyzed by DNS Security are not displayed in the log
viewer. Log in to your Strata Logging Service app to access benign DNS log entries.

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Cloud Manager on the hub.

Monitor DNS Security Subscription Services

STEP 2 | Search for DNS queries that have been processed using DNS Security.
1. Select Incidents and Alerts > Log Viewer.
2. Constrain your search using the threat filter and submit a log query based on the DNS
category, for example, threat_category.value = 'dns-c2' to view logs that
have been determined to be a C2 domain. To search for other DNS types, replace c2
with another supported DNS category (ddns, parked, malware, etc). Adjust the search

Monitor DNS Security Subscription Services

criteria as necessary for your search, including additional query parameters (such as the
severity level and subtype) along with a date range.

3. Select a log entry to view the details of a detected DNS threat.

4. The threat Category is displayed in the General pane of the detailed log view. Other
relevant details about the threat are displayed in their corresponding windows.

Monitor DNS Security Subscription Services

5. For DNS tunneling domains, including tunneling-based APTs (advanced persistent

threats), you can view the tunneling tools and attack campaigns associated with the
domain. This is reflected in the Threat ID/Name field for the log entry for a DNS
tunnel domain. The Threat ID/Name for DNS tunnel domains use the following format:
Tunneling:<tool_name>,<tool_name>,<tool_name>,...:<domain_name>,
whereby the tool_name refers to the DNS tunneling tools used to embed data into
the DNS queries and responses, but also the cyber threat campaign name, in a comma-
separated list. These campaigns can be industry accepted incidents and use the same
naming conventions or might be one identified and named by Palo Alto Networks and
described in the Unit 42 Threat Research blogs. A blog of such a campaign, in this case,

Monitor DNS Security Subscription Services

one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling
for Tracking and Scanning.

The DNS tunnel attribution might produce the associated tool and campaign
entries some time after the initial DNS tunnel detection has completed. In this
instance, only the domain name is initially specified alongside the DNS tunnel
category. When the DNS tunnel attribution component finishes, the complete
details will display as expected in the Threat ID/Name field, including any DNS
tunneling tools and campaigns.

View DNS Security Logs (NGFW (Managed by PAN-OS or

Panorama))
STEP 1 | Log in to the PAN-OS web interface.

Monitor DNS Security Subscription Services

STEP 2 | Search for activity on the firewall for queries that have been processed using DNS Security.
1. Select Monitor > Logs > Threat and filter based on the DNS category.
Consider the following examples:
• ( category-of-threatid eq dns-c2 ) to view logs that have been
determined to be a C2 domain by DNS Security.
• ( category-of-threatid eq adns-hijacking ), whereby the variable
adns-hijacking indicates DNS queries that have been categorized as a malicious
DNS hijacking attempt by Advanced DNS Security.
To search for other DNS types, replace c2 with another supported DNS category (ddns,
parked, malware, etc).

2. Select a log entry to view the details of a detected DNS threat.

3. The threat Category is displayed in the Details pane of the detailed log view. Other
relevant details about the threat are displayed in their corresponding windows.

Monitor DNS Security Subscription Services

4. For DNS tunneling domains, including tunneling-based APTs (advanced persistent

Monitor DNS Security Subscription Services

one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling
for Tracking and Scanning.

View DNS Security Logs (AIOps for NGFW Free)

Benign DNS queries that have been analyzed by DNS Security are not displayed in the
AIOps for NGFW Free log viewer. Log in to your Strata Logging Service app to access
benign DNS log entries.

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the AIOps for NGFW Free application on the hub.

STEP 2 | Search for DNS queries that have been processed using DNS Security in AIOps for NGFW
Free.
1. Select Incidents and Alerts > Log Viewer.
2. Constrain your search using the threat filter and submit a log query based on the DNS
category, for example, threat_category.value = 'dns-c2' to view logs that
have been determined to be a C2 domain. To search for other DNS types, replace c2
with another supported DNS category (ddns, parked, malware, etc). Adjust the search
criteria as necessary for your search, including additional query parameters (such as the
severity level and subtype) along with a date range.
3. Select a log entry to view the details of a detected DNS threat.
4. The threat Category is displayed in the Details pane of the detailed log view. Other
relevant details about the threat are displayed in their corresponding windows.

View DNS Security Logs (Strata Logging Service)

STEP 1 | Use the credentials associated with your Palo Alto Networks support account and log in to
the Strata Logging Service application on the hub.

STEP 2 | Allocate Storage Based on Log Type. If storage space has not been allocated for DNS
Security logs on Strata Logging Service, logging entries will not be viewable through Strata
Logging Service.

Monitor DNS Security Subscription Services

STEP 3 | Search for DNS queries that have been processed using DNS Security in Strata Logging
Service.
1. Select Explore to open the Strata Logging Service log viewer.
2. Constrain your search using the threat filter and submit a log query based on the DNS
category, for example, threat_category.value = 'dns-c2' to view logs that
have been determined to be a C2 domain. To search for other DNS types, replace c2
with another supported DNS category (ddns, parked, malware, etc). Adjust the search
criteria as necessary for your search, including additional query parameters (such as the
severity level and subtype) along with a date range.
3. Select a log entry to view the details of a detected DNS threat.
4. The threat Category is displayed in the Details pane of the detailed log view. Other
relevant details about the threat are displayed in their corresponding windows.

Monitor DNS Security Subscription Services

Operational Best Practices For Azure Kubernetes Service
No ratings yet
Operational Best Practices For Azure Kubernetes Service
74 pages
Onboard Azure
No ratings yet
Onboard Azure
9 pages
AWS Networking
100% (1)
AWS Networking
11 pages
Infralab 710 Setup Procedure
No ratings yet
Infralab 710 Setup Procedure
5 pages
7.2.2.5 Lab - Configuring Basic EIGRP For IPv4 - ILM PDF
97% (35)
7.2.2.5 Lab - Configuring Basic EIGRP For IPv4 - ILM PDF
16 pages
Q2 2020 Fundamental IT Engineer Examination (Morning)
No ratings yet
Q2 2020 Fundamental IT Engineer Examination (Morning)
29 pages
PCNE Workbook
No ratings yet
PCNE Workbook
83 pages
ISE 2.1 Guest SAML Portal-Pingfed
No ratings yet
ISE 2.1 Guest SAML Portal-Pingfed
44 pages
COS2626 Exam Notes
No ratings yet
COS2626 Exam Notes
77 pages
BRKIPM 2001 NSF NSR
No ratings yet
BRKIPM 2001 NSF NSR
94 pages
EST Network Applications Installation Sheets
No ratings yet
EST Network Applications Installation Sheets
20 pages
VMG1312-B10A CLI Reference Manual
No ratings yet
VMG1312-B10A CLI Reference Manual
124 pages
Cis 185 CCNP Route Ch. 7 Implementing BGP - Part 3
No ratings yet
Cis 185 CCNP Route Ch. 7 Implementing BGP - Part 3
44 pages
Recision Nergy Eter: Meter User Manual
No ratings yet
Recision Nergy Eter: Meter User Manual
91 pages
Windows Server 2012 R2 - IP Address Management (IPAM)
No ratings yet
Windows Server 2012 R2 - IP Address Management (IPAM)
22 pages
The Network Layer Is Concerned With Getting
No ratings yet
The Network Layer Is Concerned With Getting
103 pages
05 Challenges of LTE Advance Rel10 13
No ratings yet
05 Challenges of LTE Advance Rel10 13
75 pages
Grandstream Networks, Inc.: UCM6510 Basic Configuration Guide
No ratings yet
Grandstream Networks, Inc.: UCM6510 Basic Configuration Guide
30 pages
DRAFT AT&T Iperf Mobile Application User Guide (Aka Iperf Commands 2.0.5 PDF
No ratings yet
DRAFT AT&T Iperf Mobile Application User Guide (Aka Iperf Commands 2.0.5 PDF
7 pages
Lenovo CE0152PB Gigabit Ethernet Campus Switch With Power Over Ethernet
No ratings yet
Lenovo CE0152PB Gigabit Ethernet Campus Switch With Power Over Ethernet
23 pages
AIP W610H User Manual 200704
No ratings yet
AIP W610H User Manual 200704
50 pages
Azure AD Ebook
No ratings yet
Azure AD Ebook
649 pages
Manual OpenHPC
No ratings yet
Manual OpenHPC
52 pages
5771063-1EN-01 Rev 1 OEC Elite Wireless Upgrade Kit Installation Instructions
100% (1)
5771063-1EN-01 Rev 1 OEC Elite Wireless Upgrade Kit Installation Instructions
32 pages
Admin 2
No ratings yet
Admin 2
336 pages
AZ-GTI and ASI AIR Pro Instructions
No ratings yet
AZ-GTI and ASI AIR Pro Instructions
5 pages
Ch7 - Packet Tracer Skills Integration Challenge: Topology Diagram
No ratings yet
Ch7 - Packet Tracer Skills Integration Challenge: Topology Diagram
4 pages
Cap-Iii Mics
No ratings yet
Cap-Iii Mics
11 pages
Skybox ReferenceGuide V10!0!300
No ratings yet
Skybox ReferenceGuide V10!0!300
460 pages
Scan Report
No ratings yet
Scan Report
29 pages
Fingerprint Recognition Using MATLAB PDF
No ratings yet
Fingerprint Recognition Using MATLAB PDF
74 pages
CH 02
No ratings yet
CH 02
47 pages
Azure Networking Basics Course Content
No ratings yet
Azure Networking Basics Course Content
61 pages
(IBM Security) IBM Security QRadar Installation Guide
No ratings yet
(IBM Security) IBM Security QRadar Installation Guide
54 pages
How To Design A Least Privilege Architecture in AWS Slides
No ratings yet
How To Design A Least Privilege Architecture in AWS Slides
34 pages
Basic of IP Routing Explained With Example
No ratings yet
Basic of IP Routing Explained With Example
216 pages
ITT FutureStateTechPlaybookForWebpage
No ratings yet
ITT FutureStateTechPlaybookForWebpage
131 pages
SDP101 Overview Presentation W Talktrack 022421-210316-174943
No ratings yet
SDP101 Overview Presentation W Talktrack 022421-210316-174943
24 pages
Managing Sophos Firewall in Sophos Central
No ratings yet
Managing Sophos Firewall in Sophos Central
32 pages
XG Firewall For Education
100% (1)
XG Firewall For Education
43 pages
Packet Tracer Configure Router Interfaces
No ratings yet
Packet Tracer Configure Router Interfaces
2 pages
SDWAN Viptela Guide
No ratings yet
SDWAN Viptela Guide
57 pages
Guidelines Implementing Aws Waf
No ratings yet
Guidelines Implementing Aws Waf
28 pages
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
No ratings yet
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
28 pages
DNS Best Practices
No ratings yet
DNS Best Practices
165 pages
FW3010 19.0v1 Configuring SSL Site-To-Site VPNs On Sophos Firewall
No ratings yet
FW3010 19.0v1 Configuring SSL Site-To-Site VPNs On Sophos Firewall
15 pages
Identity Management Design Guide
No ratings yet
Identity Management Design Guide
436 pages
Prisma Cloud Identity Based Microsegmentation
No ratings yet
Prisma Cloud Identity Based Microsegmentation
5 pages
Adaptive User Segmentation With Illumio Core: Solution Brief
No ratings yet
Adaptive User Segmentation With Illumio Core: Solution Brief
5 pages
AWS Solution Architect Module 2
No ratings yet
AWS Solution Architect Module 2
9 pages
20741B - 11-Implementing Software Defined Networking
No ratings yet
20741B - 11-Implementing Software Defined Networking
29 pages
Virtual Private Network
No ratings yet
Virtual Private Network
7 pages
DNS Security Extensions
No ratings yet
DNS Security Extensions
7 pages
Algosec Security Management Suite
No ratings yet
Algosec Security Management Suite
4 pages
ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide
No ratings yet
ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide
69 pages
Security Hardening Guide
No ratings yet
Security Hardening Guide
21 pages
System Design
No ratings yet
System Design
11 pages
Cloud NGFW Azure VWAN Lab Guide
No ratings yet
Cloud NGFW Azure VWAN Lab Guide
48 pages
Magic Quadrant For Endpoint Protection Platforms
No ratings yet
Magic Quadrant For Endpoint Protection Platforms
32 pages
IG 100 Deploy Guide
No ratings yet
IG 100 Deploy Guide
236 pages
Ebook For Gemalto Aws
No ratings yet
Ebook For Gemalto Aws
40 pages
AD Issues & Solutions
No ratings yet
AD Issues & Solutions
90 pages
HP TippingPoint NGIPS Customer Presentation
No ratings yet
HP TippingPoint NGIPS Customer Presentation
22 pages
Mac Layer
No ratings yet
Mac Layer
70 pages
Image Processing in Biometric and Recognition: M.Indumathi
No ratings yet
Image Processing in Biometric and Recognition: M.Indumathi
9 pages
Information Synchronized in An HA Pair Palo Alto Networks Live
No ratings yet
Information Synchronized in An HA Pair Palo Alto Networks Live
2 pages
Shared Responsibility Model-2
No ratings yet
Shared Responsibility Model-2
9 pages
SWOT Analysis of Telecom Sector
100% (4)
SWOT Analysis of Telecom Sector
59 pages
Adfs O365
No ratings yet
Adfs O365
10 pages
Cloudflare Security Services: App Vulnerability Attacks Gateway
No ratings yet
Cloudflare Security Services: App Vulnerability Attacks Gateway
2 pages
Delinea Datasheet Server Pam
No ratings yet
Delinea Datasheet Server Pam
2 pages
Big-Ip Virtual Edition Setup Guide For Microsoft Hyper-V
No ratings yet
Big-Ip Virtual Edition Setup Guide For Microsoft Hyper-V
26 pages
DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems
No ratings yet
DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems
8 pages
Windows Azure Poster
No ratings yet
Windows Azure Poster
1 page
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
No ratings yet
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
9 pages
Azure IAM
No ratings yet
Azure IAM
3 pages
Zero Trust Guiding Principles 072123
No ratings yet
Zero Trust Guiding Principles 072123
20 pages
A Basic Introduction To IPv6
100% (2)
A Basic Introduction To IPv6
1 page
Pingid Technical Brief 3027
No ratings yet
Pingid Technical Brief 3027
5 pages
DNSSEC - What Is It and Why Is It Important?
No ratings yet
DNSSEC - What Is It and Why Is It Important?
5 pages
Best Practices For Department Server and Enterprise System Checklist Instructions
No ratings yet
Best Practices For Department Server and Enterprise System Checklist Instructions
8 pages
Cloudflare Zero Trust Product Brief
No ratings yet
Cloudflare Zero Trust Product Brief
6 pages
PamVen Technology
No ratings yet
PamVen Technology
13 pages
Prerequisites Offline SP
No ratings yet
Prerequisites Offline SP
11 pages
Rubrik Design
No ratings yet
Rubrik Design
12 pages
Microsoft Security Solution Orientation Guide
No ratings yet
Microsoft Security Solution Orientation Guide
5 pages
Palm Vein Technology
No ratings yet
Palm Vein Technology
13 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet