>
    Strata Copilot
    Test Domains
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure DNS Security Subscription Services
    4. Test Domains
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Test Domains

    Table of Contents

    Test Domains

    Verify your policies using DNS Security test domains. Safely simulate malware, C2, and phishing hits to ensure your Anti-Spyware profiles and actions trigger correctly.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • NGFW
    • VM-Series
    • CN-Series
    • Advanced DNS Security License (for enhanced feature support) or DNS Security License
    • Advanced Threat Prevention or Threat Prevention License
    To ensure your security policies are correctly intercepting and enforcing actions on malicious traffic, Palo Alto Networks provides a set of dedicated DNS Security test domains. These domains allow you to safely simulate hits for specific threat categories—such as malware, command-and-control (C2), or phishing—without exposing your network to actual malicious content.
    By attempting to resolve these domains from a client behind the firewall, you can verify that your Anti-Spyware profile is correctly attached to your security policy and that the designated action (such as Alert, Block, or Sinkhole) is being triggered.
    1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
      The test domains marked with an * are not supported in PAN-OS 9.1.
      Access the following test domain to verify that the policy action for a given threat type is being enforced:
      • DNS Misconfiguration Domain (Claimable)—http://test-dnsmisconfig-claimable-nx.testpanw.com
      The following test domain test cases should be added to your DNS server zone file of testpanw.com before accessing the domain. These test cases match against the Advanced DNS Security signatures and will generate the appropriate logs. Verify that the policy action for a given threat type is being enforced.
      • DNS Misconfiguration Domain (Zone Dangling) Test Cases
        Host
        Record Type
        Record Data
        *.test-dnsmisconfig-zone-dangling.testpanw.com
        A
        1.2.3.4
      • Hijacking Domain Test Cases
        Host
        Record Type
        Record Data
        test-ipv4.hijacking.testpanw.com
        A
        1.2.3.5
        *.test-ipv4-wildcard.hijacking.testpanw.com
        A
        1.2.3.6
        test-ipv6.hijacking.testpanw.com
        AAAA
        2607:f8b0:4005:80d::2005
        test-cname-rrname.hijacking.testpanw.com
        CNAME
        1.test-cname-wc.hijacking.testpanw.com
        test-cname-rrname-wc.hijacking.testpanw.com
        CNAME
        1.test-cname-wildcard-1.hijacking.testpanw.com
        *.test-cname-rrname-sub-wc.hijacking.testpanw.com
        CNAME
        2.test-cname-wc.hijacking.testpanw.com
        test-ns-rrname.hijacking.testpanw.com
        NS
        test-ns.hijacking.testpanw.com
        test-ns-rrname-rdata-wc.hijacking.testpanw.com
        NS
        1.test-ns-wc.hijacking.testpanw.com
        1.test-ns-rrname-sub-wc.hijacking.testpanw.com
        NS
        test-ns.hijacking.testpanw.com
        test-rrname-wc.hijacking.testpanw.com
        NS
        test-ns-2.hijacking.testpanw.com
        For NS records, you must use the following option:"dig +trace NS"
    2. Verify that the DNS query request has been processed by DNS Security by monitoring the activity.

    © 2026 Palo Alto Networks, Inc. All rights reserved.