Advanced DNS Security License (for enhanced feature support)
or DNS Security License
Advanced Threat Prevention or Threat Prevention License
Palo Alto Networks maintains a network of global and regional domains that provide
service for DNS Security and Advanced DNS Security operations. These service domains
operate real-time DNS request analyzers, access to the DNS signature database and
provide advanced cloud-dependent functionality. By default, DNS Security and Advanced
DNS Security connects to the global service domains (dns.service.paloaltonetworks.com
and adv-dns.service.paloaltonetworks.com,respectively), which then automatically
redirect to the regional domain that is closest to the network security platform
location.
Advanced DNS Security Regional Service Domains
You can manually specify the server used to facilitate Advanced DNS Security queries.
While Palo Alto Networks recommends using the default global service domain, you can
override the selected server if you encounter higher than expected latency or other
service-related issues.
NGFW (PAN-OS 11.2 and later)
You can specify the Advanced DNS Security service domain in PAN-OS from DeviceSetupManagementAdvanced DNS SecurityDNS Security Server.
Strata Cloud Manager
You can specify the Advanced DNS Security service domain in Strata Cloud
Manager from ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security. From the Settings tab, select
Customize to edit the server settings.
This setting does not impact how standard DNS Security queries are handled.
The following table lists the service domains used by Advanced DNS Security:
Location
URL
Cape Town, South Africa
dns-za.service.paloaltonetworks.com
Bahrain
dns-bh.service.paloaltonetworks.com
Paris, France
dns-fr.service.paloaltonetworks.com
Tokyo, Japan
dns-jp.service.paloaltonetworks.com
Singapore
dns-sg.service.paloaltonetworks.com
Sydney, Australia
dns-au.service.paloaltonetworks.com
London, England
dns-uk.service.paloaltonetworks.com
Frankfurt, Germany
dns-de.service.paloaltonetworks.com
Eemshaven, Netherlands
dns-nl.service.paloaltonetworks.com
Council Bluffs, Iowa, USA
dns-us-ia.service.paloaltonetworks.com
Ashburn, Northern Virginia, USA
dns-us-va.service.paloaltonetworks.com
The Dalles, Oregon, USA
dns-us-or.service.paloaltonetworks.com
Montreal, Quebec, Canada
dns-ca.service.paloaltonetworks.com
Osasco, São Paulo, Brazil
dns-br.service.paloaltonetworks.com
Los Angeles, California, USA
dns-us-ca.service.paloaltonetworks.com
Hong Kong
The Advanced DNS Security regional service domain in Hong Kong
has two FQDN options:
dns-hk.service.paloaltonetworks.com
dns-cn.service.paloaltonetworks.com
Palo Alto Networks recommends using the
dns-cn.service.paloaltonetworks.com
FQDN if you experience connectivity or access issues.
