Configure DNS Security Over DoH (PAN-OS 11.0 and Later)

Log in to the PAN-OS web interface.

Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic to/from (you will need the DNS server URL(s)).

Create a Decryption Policy Rule that references the custom URL category list that you created in the previous step.

Update or create a new anti-spyware security profile used to inspect DoH requests.

Create or update a security policy rule and reference an anti-spyware profile and a custom URL category list (

Objects

Custom Objects

URL Category

) containing the approved list of DoH servers.

Create a block policy to decrypt HTTPS traffic and block all remaining unsanctioned DoH traffic that is not explicitly allowed by the custom URL category list (referenced in step 5) by using the App-ID:

dns-over-https

and the following URL category:

encrypted-dns

.

If you already have an existing block policy to block DoH traffic, verify that the rule is placed below the previous security policy rule used to match with specific DoH resolvers listed in a custom URL category list object.

(Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have been processed using DNS Security.

Select

Monitor

Logs

Traffic

and filter based on the application using

dns-over-https

, for example,

( app eq dns-over-https )

.

Select a log entry to view the details of a detected DNS threat.

The

Application

should display dns-over-https in the

General

pane of the detailed log view, indicating that this is DoH traffic that has been processed using DNS Security. Other relevant details about the threat are displayed in their corresponding windows.