Configure DNS Security Over TLS (Strata Cloud Manager)

1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager application on the hub.
2. Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same DNS Policies settings for DNS Security over TLS traffic.
3. Create a decryption policy rule with an action to decrypt HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in the logs appear as conventional dns-base applications.
4. (Optional) Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security.

   1. Select Log Viewer and use the drop down to filter the logs based on the Threat log type. Use the query builder to filter based on the application using dns-base and port 853 (which is exclusively used for DNS Security over TLS transactions), for example, app = 'dns-base' AND source_port = 853.
   2. Select a log entry to view the details of the detected DNS threat.
   3. The Application should display dns-base in the General pane and the Port in the Source pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding tabs.