Advanced DNS Security Powered by Precision AI®
Configure Advanced DNS Security Resolver for DoH
Table of Contents
Configure Advanced DNS Security Resolver for DoH
The Advanced DNS Security Resolver supports analysis and categorization of DNS
payloads contained within encrypted DNS traffic requests to DNS hosts using DoH.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can configure the Advanced DNS Security Resolver to analyze and categorize DNS
payloads contained within encrypted DNS traffic requests to DNS hosts using DoH. DNS
over HTTPS (DoH) is a security protocol that encrypts Domain Name System (DNS)
queries to enhance user privacy and security. This provides protection against
critical vulnerabilities in traditional DNS systems (DNS over UDP/TCP) which
transmit queries in plaintext, making them susceptible to eavesdropping and
manipulation.
The DNS over HTTPS implementation follows RFC standards and provides secure DNS
resolution through HTTPS endpoints. The service operates through a dedicated domain
(https://edge-dns.service.paloaltonetworks.com/dns-query). The system supports both
HTTP/1.1 and HTTP/2 traffic with appropriate ALPN (Application-Layer Protocol
Negotiation) advertising. Clients can send DNS queries using either GET or POST
methods in two standardized formats: binary and JSON.
- Enable your Advanced DNS Security Resolver. When defining your connection sources, be sure to include all clients in the branch/campus network.Retrieve the FQDN used to facilitate DNS-over-HTTPS queries.
- Select and then go to the DNS Resolver Configurations tab.In the DNS Resolver Info window, refer to the DNS over HTTPS field.The full URL for the Advanced DNS Security Resolver is: https://edge-dns.service.paloaltonetworks.com/dns-query. It might be necessary to provide the full URL, depending on the application where the resolver is specified.
![]()
Update your client device(s) to use the supplied DNS over HTTPS FQDN for DNS queries.(Optional) If the client device uses JSON formatted DNS queries, you must update the header format to enforce usage of the dns-json format with the following header:--header 'Accept: application/dns-json'For example:curl 'https://edge-dns.service.paloaltonetworks.com/dns-query?name=paloaltonetworks.com&type=A' --header 'Accept: application/dns-json'(Optional) Search for HTTPS-encrypted DNS queries that have been processed using the Advanced DNS Security Resolver.- Select Log Viewer and use the drop down to select the DNS Security (Resolver and SDWAN and Panos 12.1 or later) log type.Submit a log query based on the application, using dns-over-https, for example, app = 'dns-over-https'.Select a log entry to view the details of a detected DNS threat that uses DoH.The threat Application is displayed in the General pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
