Palo Alto Networks maintains a network of global and regional domains that provide service for DNS Security. These service domains operate real-time DNS request analyzers and access to the DNS signature database. By default, DNS Security uses the global service domain (dns.service.paloaltonetworks.com), which then automatically redirects to the regional domain that is closest to the network security platform location. Palo Alto Networks recommends using the default global service domain configuration for improved fail-over handling; however, if you experience latency issues due to the particulars of your location (for example, when straddling multiple overlapping regional domains), you can manually specify the service domain. To specify the regional service domain used by DNS Security, you must add a DNS entry for dns.service.paloaltonetworks.com that includes a CNAME record that indicates a valid regional domain as part of your DNS server configuration. After connecting to a regional domain, you can issue the CLI command on the firewall: