Encrypted DNS for DNS Proxy and the Management Interface
Focus
Focus
What's New in the NetSec Platform

Encrypted DNS for DNS Proxy and the Management Interface

Table of Contents

Encrypted DNS for DNS Proxy and the Management Interface

You can use encrypted DNS on the firewall when it's acting as a DNS proxy or on the firewall's management interface to help maintain privacy and protect DNS traffic.
When you use DNS on your operating systems and web browsers, you can encrypt the DNS traffic to help maintain privacy and protect traffic from meddler (MitM) attacks. If you configure your PAN-OS firewall to act as a DNS proxy, you can enable encrypted DNS and configure the DNS proxy to accept one or more types of DNS communication from the client: DNS-over-HTTP (DoH), DNS-over-TLS (DoT), or cleartext.
To enforce encryption, you specify the type of encryption that the DNS proxy should use to communicate with DNS servers. If a DNS server rejects encrypted DNS or the DNS proxy does not receive a response from the primary or secondary server within the timeout period, you can configure the DNS proxy to fall back to unencrypted DNS communications with the server.
Additionally, you can enable encrypted DNS on the management interface of the firewall so that DNS requests use DoH, DoT, or fall back to unencrypted DNS.