Advanced DNS Security License (for enhanced feature support)
or DNS Security License
Advanced Threat Prevention or Threat Prevention License
Palo Alto Networks maintains a network of global and regional domains that provide
service for DNS Security and Advanced DNS Security operations. These service domains
operate real-time DNS request analyzers, access to the DNS signature database and
provide advanced cloud-dependent functionality. By default, DNS Security and Advanced
DNS Security connects to the global service domains (dns.service.paloaltonetworks.com
and adv-dns.service.paloaltonetworks.com,respectively), which then automatically
redirect to the regional domain that is closest to the network security platform
location.
DNS Security Regional Service Domains
Palo Alto Networks recommends using the default global service domain
configuration for improved fail-over handling; however, if you experience latency
issues due to the particulars of your location (for example, when straddling
multiple overlapping regional domains), you can manually specify the service domain.
To specify the regional service domain used by DNS Security, you must add a DNS
entry for dns.service.paloaltonetworks.com that includes a CNAME record that
indicates a valid regional domain as part of your DNS server configuration. After
connecting to a regional domain, you can issue the CLI command on the firewall:
show dns-proxy dns-signature counters
to
review the average latency. The relevant section is located under the Signature
query API heading.
The following table lists the DNS Security service domains:
Location
URL
Cape Town, South Africa
dns-za.service.paloaltonetworks.com
Hong Kong
dns-hk.service.paloaltonetworks.com
Tokyo, Japan
dns-jp.service.paloaltonetworks.com
Singapore
dns-sg.service.paloaltonetworks.com
Mumbai, India
dns-in.service.paloaltonetworks.com
Sydney, Australia
dns-au.service.paloaltonetworks.com
London, England
dns-uk.service.paloaltonetworks.com
Frankfurt, Germany
dns-de.service.paloaltonetworks.com
Eemshaven, Netherlands
dns-nl.service.paloaltonetworks.com
Paris, France
dns-fr.service.paloaltonetworks.com
Bahrain
dns-bh.service.paloaltonetworks.com
Montreal, Quebec, Canada
dns-ca.service.paloaltonetworks.com
Osasco, São Paulo, Brazil
dns-br.service.paloaltonetworks.com
Council Bluffs, Iowa, USA
dns-us-ia.service.paloaltonetworks.com
Ashburn, Northern Virginia, USA
dns-us-va.service.paloaltonetworks.com
The Dalles, Oregon, USA
dns-us-or.service.paloaltonetworks.com
Los Angeles, California, USA
dns-us-ca.service.paloaltonetworks.com
Advanced DNS Security Regional Service Domains
You can manually specify the server used to facilitate Advanced DNS Security queries.
While Palo Alto Networks recommends using the default global service domain, you can
override the selected server if you encounter higher than expected latency or other
service-related issues.
You can specify the Advanced DNS Security service domain in PAN-OS from DeviceSetupManagementAdvanced DNS SecurityDNS Security Server.
This setting does not impact how standard DNS Security queries are handled.
The following table lists the Advanced DNS Security service domains:
