DNS Security Administration
  • DNS Security Administration
  • Advanced DNS Security Powered by Precision AI® Documentation
  • All Documentation
>
Test Connectivity to the DNS Security Cloud Services
Focus
Download PDF
Focus
  1. Home
  2. Advanced DNS Security Powered by Precision AI®
  3. Configure DNS Security Subscription Services
  4. Test Connectivity to the DNS Security Cloud Services
Download PDF
Advanced DNS Security Powered by Precision AI®

Test Connectivity to the DNS Security Cloud Services

Table of Contents
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License

DNS Security

Verify your firewall connectivity to the DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
  1. Access the firewall CLI.
  2. Use the following CLI command to verify your firewall’s connection availability to the DNS Security service.
    show dns-proxy dns-signature info
    For example:
    show dns-proxy dns-signture info

Cloud URL: dns.service.paloaltonetworks.com:443

Telemetry URL: io.dns.service.paloaltonetworks.com:443

Last Result: None

Last Server Address:

Parameter Exchange: Interval 300 sec

Allow List Refresh: Interval 43200 sec

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 0
    If your firewall has an active connection to the DNS Security service, the server details display in the response output.
  3. Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
    Use the following CLI command on the firewall to review the details about a domain:
    test dns-proxy dns-signature fqdn
    For example:
    test dns-proxy dns-signature fqdn www.yahoo.com

DNS Signature Query [ www.yahoo.com ]

Completed in 178 ms

DNS Signature Response

Entries: 2

Domain                             Category        GTID                 TTL
-------------------------------------------------------------------------------------------------
*.yahoo.com                        Benign          0                    86400
  www.yahoo.com                    Benign          0                    3600

Advanced DNS Security

Verify your firewall connectivity to the Advanced DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.
  1. Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show ctd-agent status security-client
    For example:
    show ctd-agent status security-client

...
Security Client ADNS(1)
        Current cloud server:   qa.adv-dns.service.paloaltonetworks.com:443
        Cloud connection:       connected
        Config:
                Number of gRPC connections: 2, Number of workers: 8
                Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                Maximum number of workers: 12
                Maximum number of sessions a worker should process before reconnect: 10240
                Maximum number of messages per worker: 0
                Skip cert verify: false
        Grpc Connection Status:
                State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html"
                Pool state: Ready (2)
                     last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596
                     last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768
                     last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446
Security Client AdnsTelemetry(2)
        Current cloud server:   io-qa.adv-dns.service.paloaltonetworks.com:443
        Cloud connection:       connected
        Config:
                Number of gRPC connections: 2, Number of workers: 8
                Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                Maximum number of workers: 12
                Maximum number of sessions a worker should process before reconnect: 10240
                Maximum number of messages per worker: 0
                Skip cert verify: false
        Grpc Connection Status:
                State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
                Pool state: Ready (2)
                     last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772
                     last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421
                     last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289
...
    Verify that the cloud connection status for Security Client AdnsTelemetry(2) and Security Client ADNS(1) are showing active connections.
    CLI output shortened for brevity.
    If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.