>
    Strata Copilot
    Enable Advanced DNS Resolver
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure Advanced DNS Resolver
    4. Enable Advanced DNS Resolver
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Enable Advanced DNS Resolver

    Table of Contents

    Enable Advanced DNS Resolver

    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced DNS Resolver License
    To enable the Advanced DNS Resolver, you must create (or modify) a DNS Security profile and add/verify connection sources used by the Advanced DNS Resolver service. There are optional tasks that provide extended functionality and additional security options. Please review all of the steps below before committing to the deployment process.
    1. Verify that you have a license for the Advanced DNS Resolver.
    2. Log in to the Strata Cloud Manager on the hub.
    3. Configure an Advanced DNS Resolver security profile. You can also use the default best-practice security profile, however, you should still review the configuration to verify that it is appropriate for your deployment.
      Alternatively, you can create an Advanced DNS Resolver security profile from the Create Connection Source menu (ManageConfigurationADNS Resolver. This allows you to create a security profile (step 2) and add connection sources as part of a single workflow (step 6).
      1. Select ManageConfigurationADNS Resolver and then go to the DNS Security Profiles tab.
      2. Select Create DNS Security Profile and in the General tab, provide a name and description for the security profile.
      3. In the Categories tab, for each of the domain categories listed under the primary groupings (Content, DNS Security, and Advanced DNS Security), specify a policy Action to take when a corresponding domain type is detected.
        Policy Action Options:
        • allow—The DNS query is allowed.
        • alert—The DNS query generates an alert. DNS queries that generate an alert are saved in the DNS Security log.
        • block—The DNS query is blocked.
        • sinkhole—Forges a DNS response for a DNS query targeting a detected malicious domain. This directs the resolution of the malicious domain name to a specific IP address (referred to as the Sinkhole IP), which is embedded as the response.
      4. (Optional) Add domains that you want the ADNS Resolver to bypass. If your organization uses third party threat feeds as part of a comprehensive threat intelligence solution, you can also reference those in the form of external dynamic lists (EDLs) as part of your overrides configuration.
    4. Review your Advanced DNS Resolver configuration settings and provide connection sources.
    5. Select ManageConfigurationADNS Resolver and then go to the DNS Resolver Configurations tab.
      From here, you can review your DNS resolver details:
      • Connection Source Verification Status—Provides a breakdown of the verification status of all the connection sources you have added to your Advanced DNS Resolver configuration. You must validate the egress IP address of a connection source to enable processing of DNS requests. If the IP is not validated, it is not considered to be part of the network and requests to that IP are rejected.
      • DNS Resolver Info—The Palo Alto Networks Advanced DNS Resolver server details. The server that you connect to is dependent on your geolocation. The Advanced DNS resolver connects you to the service via an anycast IP to provide optimum service reliability and performance.
      • DNS Sinkhole Settings—Indicates the currently selected DNS sinkhole server (the default is the Palo Alto Networks hosted DNS sinkhole) and the configured block page contents.
      • Connection Sources—Lists all of the connection sources added to your Advanced DNS Resolver. Connection sources are egress IP addresses in your branch/campus/datacenter that will be subject to the security policies dictated by the Advanced DNS Resolver policies.
    6. Add and configure connection sources to your Advanced DNS Resolver configuration.
    7. (Internal DNS Server) Configure your internal DNS server to use the Advanced DNS Resolver anycast IP addresses located under DNS Resolver Info.
    8. Configure your ADNS Resolver sinkhole settings and, optionally, configure a customized block page.
    9. (Optional) Update your access control configuration to include Advanced DNS Resolver functionality. The following default Enterprise Roles provide multiple read and write permissions for the Advanced DNS Resolver (shown as Atmos Resolver):
    10. (Optional) Add internal domains to be excluded from getting processed by the Advanced DNS resolver.
    11. (Optional) Search for threat intelligence that Palo Alto Networks has collected for a domain using Strata Cloud Manager IOC Search.
      The IOC Search does not currently support visualization of local network activity seen by the Advanced DNS Resolver.
    12. (Optional) Review logs generated by the Advanced DNS Resolver in Strata Cloud Manager.
    13. (Optional) View Activity Insights: Domains for a high level view of the trends and statistics of your DNS Security usage.

    © 2025 Palo Alto Networks, Inc. All rights reserved.