PAN-OS 10.0 and later supports individually
configurable DNS signature sources, which enables you to define
separate policy actions as well as a log severity level for a given
signature source. This requires you to configure both the policy
action and the log severity for each available DNS signature source
to bypass DNS Security. Additionally, you must also remove the DNS
exceptions entries for the DNS Security to be fully bypassed. On
PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks
DNS Security to an action of allow.