Palo Alto Networks maintains a network of global
and regional domains that provide service for DNS Security. These
service domains operate real-time DNS request analyzers and access
to the DNS signature database. By default, DNS Security uses the
global service domain (dns.service.paloaltonetworks.com), which
then automatically redirects to the regional domain that is closest
to the network security platform location. Palo Alto Networks recommends
using the default global service domain configuration for improved
fail-over handling; however, if you experience latency issues due
to the particulars of your location (for example, when straddling
multiple overlapping regional domains), you can manually specify
the service domain. To specify the regional service domain used
by DNS Security, you must add a DNS entry for dns.service.paloaltonetworks.com
that includes a CNAME record that indicates a valid regional domain
as part of your DNS server configuration. After connecting to a regional
domain, you can issue the CLI command on the firewall:
show dns-proxy dns-signature counters
to
review the average latency. The relevant section is located under
the Signature query API heading.
