Advanced DNS Security Powered by Precision AI®
Regional Service Domains (PAN-OS & Panorama)
Table of Contents
Regional Service Domains (PAN-OS & Panorama)
Depending on the PAN-OS release that you are operating on your NGFW, your DNS Security
traffic might be routed using alternate pathways.
Regional Service Domains (PAN-OS 11.2 - 11.2.8)
You can manually specify the server used to facilitate Advanced DNS Security queries.
While Palo Alto Networks recommends using the default global service domain, you can
override the selected server if you encounter higher than expected latency or other
service-related issues. By default, in PAN-OS 11.2 - 11.2.8, DNS Security and
Advanced DNS Security connects to the global service domains
(dns.service.paloaltonetworks.com and
adv-dns.service.paloaltonetworks.com,respectively), which then automatically
redirect to the regional domain that is closest to the network security platform
location. The regional FQDN settings only impact Advanced DNS Security response
traffic, while request traffic (DNS Security) continues through the global service
domain for inspection.
This setting does not impact how standard DNS Security queries are handled.
The following table lists the service domains used by Advanced DNS Security:
|
Location
|
URL
|
|---|---|
|
Cape Town, South Africa
|
dns-za.service.paloaltonetworks.com
|
|
Bahrain
|
dns-bh.service.paloaltonetworks.com
|
|
Paris, France
|
dns-fr.service.paloaltonetworks.com
|
|
Tokyo, Japan
|
dns-jp.service.paloaltonetworks.com
|
|
Singapore
|
dns-sg.service.paloaltonetworks.com
|
|
Sydney, Australia
|
dns-au.service.paloaltonetworks.com
|
|
London, England
|
dns-uk.service.paloaltonetworks.com
|
|
Frankfurt, Germany
|
dns-de.service.paloaltonetworks.com
|
|
Eemshaven, Netherlands
|
dns-nl.service.paloaltonetworks.com
|
|
Council Bluffs, Iowa, USA
|
dns-us-ia.service.paloaltonetworks.com
|
|
Ashburn, Northern Virginia, USA
|
dns-us-va.service.paloaltonetworks.com
|
|
The Dalles, Oregon, USA
|
dns-us-or.service.paloaltonetworks.com
|
|
Montreal, Quebec, Canada
|
dns-ca.service.paloaltonetworks.com
|
|
Osasco, São Paulo, Brazil
|
dns-br.service.paloaltonetworks.com
|
|
Los Angeles, California, USA
|
dns-us-ca.service.paloaltonetworks.com
|
|
Hong Kong
|
The Advanced DNS Security regional service domain in Hong Kong
has two FQDN options:
Palo Alto Networks recommends using the
dns-cn.service.paloaltonetworks.com
FQDN if you experience connectivity or access issues.
|
|
Mumbai, India
|
dns-in.service.paloaltonetworks.com
|
|
Tel Aviv, Israel
|
dns-il.service.paloaltonetworks.com
|
|
Seoul, South Korea
|
dns-kr.service.paloaltonetworks.com
|
- Log in to the NGFW.Select ().In the Advanced DNS Security window, update the DNS Security Server field as necessary and OK when finished.
Regional Service Domains (PAN-OS 11.2.9 and later)
PAN-OS 11.2.9 and later provides consolidated service domains for Advanced DNS
Security and DNS Security subscription services and the ability to allow users to
manually select their preferred regional FQDN settings. Both DNS Security and
Advanced DNS Security traffic (requests and responses) are routed to the default (or
user-defined) regional service domain. This creates a more unified and predictable
experience for your DNS security services as it establishes a consistent DNS
security inspection process by ensuring both request and response traffic follow the
same regional routing path. The provides better alignment with chosen regional
points of presence and gives customers greater control when using regional service
domains for their security infrastructure.
If you recently upgraded from PAN-OS 11.2.8 or earlier to PAN-OS 11.2.9 or later
and previously modified your configuration to use a regional service domain not
specified in the list below, you will notice a change in traffic routing
behavior. Palo Alto Networks recommends that users with previously modified
FQDNs to use one of the following updated FQDNs that corresponds to the region
of your choice.
The following table lists the service domains used by both Advanced DNS Security and
DNS Security:
|
Location
|
URL
|
|---|---|
|
Cape Town, South Africa
|
dns-za.service.paloaltonetworks.com
|
|
Bahrain
|
dns-bh.service.paloaltonetworks.com
|
|
Paris, France
|
dns-fr.service.paloaltonetworks.com
|
|
Tokyo, Japan
|
dns-jp.service.paloaltonetworks.com
|
|
Singapore
|
dns-sg.service.paloaltonetworks.com
|
|
Sydney, Australia
|
dns-au.service.paloaltonetworks.com
|
|
London, England
|
dns-uk.service.paloaltonetworks.com
|
|
Frankfurt, Germany
|
dns-de.service.paloaltonetworks.com
|
|
Eemshaven, Netherlands
|
dns-nl.service.paloaltonetworks.com
|
|
Council Bluffs, Iowa, USA
|
dns-us-ia.service.paloaltonetworks.com
|
|
Ashburn, Northern Virginia, USA
|
dns-us-va.service.paloaltonetworks.com
|
|
The Dalles, Oregon, USA
|
dns-us-or.service.paloaltonetworks.com
|
|
Montreal, Quebec, Canada
|
dns-ca.service.paloaltonetworks.com
|
|
Osasco, São Paulo, Brazil
|
dns-br.service.paloaltonetworks.com
|
|
Los Angeles, California, USA
|
dns-us-ca.service.paloaltonetworks.com
|
|
Hong Kong
|
The Advanced DNS Security regional service domain in Hong Kong
has two FQDN options:
Palo Alto Networks recommends using the
dns-cn.service.paloaltonetworks.com
FQDN if you experience connectivity or access issues.
|
|
Mumbai, India
|
dns-in.service.paloaltonetworks.com
|
|
Tel Aviv, Israel
|
dns-il.service.paloaltonetworks.com
|
|
Seoul, South Korea
|
dns-kr.service.paloaltonetworks.com
|
- Log in to the NGFW.Select ().In the Advanced DNS Security window, update the DNS Security Server field as necessary and OK when finished.
