The
DNS Security service collects
server response and request information based on your security policy
rules, associated action, and the DNS query details when performing
domain lookups to generate DNS Security logs for CDL-based activity
applications (AIOps, Prisma Access, CDL, etc). Additionally, the
network security platform forwards supplemental DNS data to the
DNS Security cloud servers and is used by Palo Alto Networks services
to provide more accurate domain information (such as provider ASN,
hosting information, and geolocation identification). While this
supplemental data is not necessary to operate the DNS Security service,
it provides the resources to generate improved analytics, DNS detection,
and prevention capabilities. This action occurs in less than 30
seconds after data collection occurs. To minimize firewall performance impact,
DNS Security telemetry operates with minimal overhead, which can
limit the total amount of DNS telemetry data sent to CDL; consequently only
a subset of DNS queries are forwarded to CDL as DNS Security log
entries. As a result, Palo Alto Networks recommends viewing logs
for malicious DNS requests as threat logs instead of DNS Security
logs.