The DNS Security service collects server response and request information based on your security policy rules, associated action, and the DNS query details when performing domain lookups to generate DNS Security logs for CDL-based activity applications (AIOps, Prisma Access, CDL, etc). Additionally, the network security platform forwards supplemental DNS data to the DNS Security cloud servers and is used by Palo Alto Networks services to provide more accurate domain information (such as provider ASN, hosting information, and geolocation identification). While this supplemental data is not necessary to operate the DNS Security service, it provides the resources to generate improved analytics, DNS detection, and prevention capabilities. This action occurs in less than 30 seconds after data collection occurs. To minimize firewall performance impact, DNS Security telemetry operates with minimal overhead, which can limit the total amount of DNS telemetry data sent to CDL; consequently only a subset of DNS queries are forwarded to CDL as DNS Security log entries. As a result, Palo Alto Networks recommends viewing logs for malicious DNS requests as threat logs instead of DNS Security logs.

DNS Security can submit the following data fields:

Data fields that can be used to potentially identify users (Source IP, Source User, and Source Zone) can be withheld from automatic submission using the following CLI command:

set deviceconfig setting ctd cloud-dns-privacy-mask yes

. You must

commit

the changes for the update to take effect.