>
    Strata Copilot
    Enable DNS Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Enable DNS Security
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Enable DNS Security

    Table of Contents

    Enable DNS Security

    Configure DNS Security by adding an Anti-Spyware profile to the Security Policy. Use cloud-based categories and actions to block malicious domains and identify infected internal hosts.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • NGFW
    • VM-Series
    • CN-Series
    • Advanced DNS Security License (for enhanced feature support) or DNS Security License
    • Advanced Threat Prevention or Threat Prevention License
    DNS Security is a subscription service that allows Palo Alto Networks NGFWs to identify and block access to malicious domains. To configure this protection, you must first create or modify an Anti-Spyware profile. Within this profile, the NGFW leverages a cloud-based database to categorize DNS queries in real-time. By assigning specific actions—such as alert, allow, block, or sinkhole—to categories like command-and-control (C2) or phishing, you define how the network responds to suspicious name resolution attempts.
    The configuration is only enforced once the Anti-Spyware profile is attached to a Security Policy rule. This ensures that DNS traffic originating from protected zones is actively inspected as it passes through the firewall. When a client's query matches a known malicious domain, the NGFW executes the defined policy action and generates a threat log, providing visibility into potential infections or unauthorized communication attempts.
    Using the sinkhole action allows the NGFW to a forge a response that redirects the client to a safe IP address, instead of simply dropping a malicious query. This method prevents the connection to a malicious server while simultaneously allowing administrators to identify the internal source of the traffic in the traffic logs.

    Enable DNS Security (Strata Cloud Manager)

    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention) license is active. Select ConfigurationNGFW and Prisma AccessOverview and click the license usage terms link in the License panel. You should see green check marks next to the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS Security.
    3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
      If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
    4. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.
      If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security.
      2. Create or modify an existing DNS Security profile.
      3. Name the profile and, optionally, provide a description.
      4. In the DNS Categories section, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as the packet capture setting.
        Palo Alto Networks recommends using the default action setting for all signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. For more information about the best practices for configuring your DNS Security settings, refer to Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
        • Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Palo Alto Networks recommends setting the action to sinkhole.
        • You can fully bypass DNS traffic inspection by configuring a policy action of Allow with a corresponding log severity of None for each DNS signature source.
        • In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
      5. In the DNS Sinkhole Settings section, verify that a valid Sinkhole address is present. For your convenience, the default setting (pan-sinkhole-default-ip) is set to access a Palo Alto Networks sinkhole server. Palo Alto Networks can automatically refresh this address through updates.
        Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (198.135.184.22).
        If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      6. (Optional) Block the specified DNS resource record types record types used to exchange keying information during the encryption of the client hello in the subsequent TLS connection. The following DNS RR types are available: SVCB (64), HTTPS (65), and ANY (255).
        • While it is not necessary to block ECH in order to enable DNS Security over DoH, Palo Alto Networks currently recommends blocking all DNS record types used by ECH for optimum security. To block all DNS record types, you must select each of the Block DNS Record Types: SVCB, HTTPS, and ANY.
        • Type 64 and type 65 resource record standards are still in flux (in a draft state) and are subject to change. For more information on DNS SVCB and HTTPS RRs, refer to: Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) as defined by the IETF.
      7. Save the DNS Security profile.
    5. Attach the DNS Security profile to a Security policy rule.
    6. Test that the policy action is enforced.
      1. Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
      2. To monitor the activity:
        1. View the activity logs and search for the URL Domain with a sinkholed action to view the log entries for the test domain you accessed.
    7. Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the DNS Security profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
    8. For other monitoring options, see Monitor DNS Security Subscription Services

    Enable DNS Security (NGFW (Managed by PAN-OS or Panorama))

    PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This enables you to create discrete, precise security actions based on the threat posture of a domain type according to your network security protocols. The DNS signature source definitions are extensible through PAN-OS content releases so, when new DNS Security analyzers are introduced, you are able to create specific policies based on the nature of the threat. Upon upgrade to PAN-OS 10.0 and later, the DNS Security source gets redefined into new categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined action and acquire default settings. Make sure to reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories.

    Enable DNS Security (PAN-OS 11.0 and Later)

    1. Log in to the NGFW.
    2. To take advantage of DNS Security, you must have an active DNS Security and Threat Prevention (or Advanced Threat Prevention) subscription.
      Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select DeviceLicenses and verify that the appropriate licenses display and have not expired.
    3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
      If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
    4. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.
      If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
      1. Select ObjectsSecurity ProfilesAnti-Spyware.
      2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
      3. Name the profile and, optionally, provide a description.
      4. Select the DNS Policies tab.
      5. In the Signature Source column, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as a log severity level.
        Palo Alto Networks recommends changing your default DNS Policies settings for signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. Follow the best practices for configuring your DNS Security settings as outlined in the Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
        • Specify the log severity level that is recorded when the firewall detects a domain matching a DNS signature. For more information about the various log severity levels, refer to Threat Severity Levels.
        • Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are default, allow, block, or sinkhole. Verify that the action is set to sinkhole.
        • You can fully bypass DNS traffic inspection by configuring a policy action of Allow with a corresponding log severity of None for each DNS signature source.
        • In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
      6. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
        Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN (sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (198.135.184.22).
        If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      7. (Optional) Block the specified DNS resource record types record types used to exchange keying information during the encryption of the client hello in the subsequent TLS connection. The following DNS RR types are available: SVCB (64), HTTPS (65), and ANY (255).
        • While it is not necessary to block ECH in order to enable DNS Security over DoH, Palo Alto Networks currently recommends blocking all DNS record types used by ECH for optimum security.
        • Type 64 and type 65 resource record standards are still in flux (in a draft state) and are subject to change. For more information on DNS SVCB and HTTPS RRs, refer to: Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) as defined by the IETF.
      8. Click OK to save the Anti-Spyware profile.
    5. Attach the Anti-Spyware profile to a Security policy rule.
      1. Select PoliciesSecurity.
      2. Select or create a Security Policy Rule.
      3. On the Actions tab, select the Log at Session End check box to enable logging.
      4. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new or modified profile.
      5. Click OK to save the policy rule.
    6. Test that the policy action is enforced.
      1. Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
      2. To monitor the activity on the firewall:
        1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
        2. Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
        3. For more monitoring options, see Monitor DNS Security Subscription Services
    7. Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the Anti-Spyware profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
    8. Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

    Enable DNS Security (PAN-OS 10.x)

    1. Log in to the NGFW.
    2. To take advantage of DNS Security, you must have an active DNS Security and Threat Prevention (or Advanced Threat Prevention) subscription.
      Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select DeviceLicenses and verify that the appropriate licenses display and have not expired.
    3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
      If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
    4. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.
      If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
      1. Select ObjectsSecurity ProfilesAnti-Spyware.
      2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
      3. Name the profile and, optionally, provide a description.
      4. Select the DNS Policies tab.
      5. In the Signature Source column, beneath the DNS Security heading, there are individually configurable DNS signature sources, which allow you to define separate policy actions as well as a log severity level.
        Palo Alto Networks recommends changing your default DNS Policies settings for signature sources to ensure optimum coverage as well as to assist with incidence response and remediation. Follow the best practices for configuring your DNS Security settings as outlined in the Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
        • Specify the log severity level that is recorded when the firewall detects a domain matching a DNS signature. For more information about the various log severity levels, refer to Threat Severity Levels.
        • Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are default, allow, block, or sinkhole. Verify that the action is set to sinkhole.
        • You can fully bypass DNS traffic inspection by configuring a policy action of Allow with a corresponding log severity of None for each DNS signature source.
        • In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
      6. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
        Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN (sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (198.135.184.22).
        If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      7. Click OK to save the Anti-Spyware profile.
    5. Attach the Anti-Spyware profile to a Security policy rule.
      1. Select PoliciesSecurity.
      2. Select or create a Security Policy Rule.
      3. On the Actions tab, select the Log at Session End check box to enable logging.
      4. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new or modified profile.
      5. Click OK to save the policy rule.
    6. Test that the policy action is enforced.
      1. Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
      2. To monitor the activity on the firewall:
        1. Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
        2. Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
        3. For more monitoring options, see Monitor DNS Security Subscription Services
    7. Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the Anti-Spyware profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
    8. Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

    Enable DNS Security (PAN-OS 9.1)

    1. Log in to the NGFW.
    2. To take advantage of DNS Security, you must have an active DNS Security and Threat Prevention subscription.
      Verify that you have the necessary subscriptions. To verify which subscriptions that you currently have licenses for, select DeviceLicenses and verify that the appropriate licenses display and have not expired.
    3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.
      If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
    4. Configure DNS Security signature policy settings to send malware DNS queries to the defined sinkhole.
      If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow.
      1. Select ObjectsSecurity ProfilesAnti-Spyware.
      2. Create or modify an existing profile, or select one of the existing default profiles and clone it.
      3. Name the profile and, optionally, provide a description.
      4. Select the DNS Signatures > Policies & Settings tab.
      5. If the Palo Alto Networks DNS Security source is not present, click Add and select it from the list.
      6. Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
      7. (Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
      8. In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this address through content updates.
        Sinkhole forges a response to a DNS query for domains that match the DNS category configured for a sinkhole action to the specified sinkhole server, to assist in identifying compromised hosts. When the default sinkhole FQDN (sinkhole.paloaltonetworks.com) is used, the firewall sends the CNAME record as a response to the client, with the expectation that an internal DNS server will resolve the CNAME record, allowing malicious communications from the client to the configured sinkhole server to be logged and readily identifiable. However, if clients are in networks without an internal DNS server, or are using software or tools that cannot be properly resolve a CNAME into an A record response, the DNS request is dropped, resulting in incomplete traffic log details that are crucial for threat analysis. In these instances, you should use the following sinkhole IP address: (198.135.184.22).
        If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
      9. Click OK to save the Anti-Spyware profile.
    5. Attach the Anti-Spyware profile to a Security policy rule.
      1. Select PoliciesSecurity.
      2. Select or create a Security Policy Rule.
      3. On the Actions tab, select the Log at Session End check box to enable logging.
      4. In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new or modified profile.
      5. Click OK to save the policy rule.
    6. Test that the policy action is enforced.
      1. Access the DNS Security test domains to verify that the policy action for a given threat type is being enforced.
      2. To monitor the activity on the firewall:
        1. View the threat Activity and search for the URL test domain tand Blocked Activity for the domain you accessed.
        2. Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
        3. For more monitoring options, see Monitor DNS Security Subscription Services
    7. Optional—Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. The decrypted DNS payload can then be processed using the Anti-Spyware profile configuration containing your DNS policy settings. When DNS-over-TLS traffic is decrypted, the resulting DNS requests in the threat logs will appears as a conventional dns-base application with a source port of 853.
    8. Optional—See Infected Hosts that Attempted to Connect to a Malicious Domain

    © 2026 Palo Alto Networks, Inc. All rights reserved.