>
    Strata Copilot
    Configure Advanced DNS Security Resolver for DoH
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure Advanced DNS Security Resolver
    4. Configure Advanced DNS Security Resolver for DoH
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Configure Advanced DNS Security Resolver for DoH

    Table of Contents

    Configure Advanced DNS Security Resolver for DoH

    The Advanced DNS Security Resolver supports analysis and categorization of DNS payloads contained within encrypted DNS traffic requests to DNS hosts using DoH.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced DNS Security Resolver License
    You can configure the Advanced DNS Security Resolver to analyze and categorize DNS payloads contained within encrypted DNS traffic requests to DNS hosts using DoH. DNS over HTTPS (DoH) is a security protocol that encrypts Domain Name System (DNS) queries to enhance user privacy and security. This provides protection against critical vulnerabilities in traditional DNS systems (DNS over UDP/TCP) which transmit queries in plaintext, making them susceptible to eavesdropping and manipulation.
    The DNS over HTTPS implementation follows RFC standards and provides secure DNS resolution through HTTPS endpoints. The service operates through a dedicated domain (https://edge-dns.service.paloaltonetworks.com/dns-query). The system supports both HTTP/1.1 and HTTP/2 traffic with appropriate ALPN (Application-Layer Protocol Negotiation) advertising. Clients can send DNS queries using either GET or POST methods in two standardized formats: binary and JSON.
    1. Enable your Advanced DNS Security Resolver. When defining your connection sources, be sure to include all clients in the branch/campus network.
    2. Retrieve the FQDN used to facilitate DNS-over-HTTPS queries.
      1. Select ManageConfigurationADNS Resolver and then go to the DNS Resolver Configurations tab.
      2. In the DNS Resolver Info window, refer to the DNS over HTTPS field.
        The full URL for the Advanced DNS Security Resolver is: https://edge-dns.service.paloaltonetworks.com/dns-query. It might be necessary to provide the full URL, depending on the application where the resolver is specified.
    3. Update your client device(s) to use the supplied DNS over HTTPS FQDN for DNS queries.
    4. (Optional) If the client device uses JSON formatted DNS queries, you must update the header format to enforce usage of the dns-json format with the following header:
      --header 'Accept: application/dns-json'
      For example:
      curl 'https://edge-dns.service.paloaltonetworks.com/dns-query?name=paloaltonetworks.com&type=A' --header 'Accept: application/dns-json'
    5. (Optional) Search for HTTPS-encrypted DNS queries that have been processed using the Advanced DNS Security Resolver.
      1. Select Log Viewer and use the drop down to select the DNS Security (Resolver and SDWAN and Panos 12.1 or later) log type.
      2. Submit a log query based on the application, using dns-over-https, for example, app = 'dns-over-https'.
      3. Select a log entry to view the details of a detected DNS threat that uses DoH.
      4. The threat Application is displayed in the General pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.

    © 2026 Palo Alto Networks, Inc. All rights reserved.