>
    Strata Copilot
    Manage Custom FQDN List
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure Advanced DNS Security Resolver
    4. Manage Custom FQDN List
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Manage Custom FQDN List

    Table of Contents

    Manage Custom FQDN List

    Group FQDNs into objects to override Advanced DNS Security Resolver settings. Apply granular allow, block, or sinkhole actions at the profile level for tailored network access control.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced DNS Security Resolver License
    Custom FQDN lists provide a granular method for managing access within your Advanced DNS Security Resolver configuration. These lists allow you to group specific Fully Qualified Domain Names (FQDNs) into a single object, which can then be used to override global Advanced DNS Security Resolver settings. This is particularly useful for managing allow/block lists for domains that are unique to your organization's operational requirements. When creating these lists, it is essential to include only valid FQDNs; generic keywords or IP addresses are not supported within these specific objects.
    Once defined, these lists are applied to a DNS Security profile, where you can assign a group-level action to all domains within the list. These actions—such as allow, alert, block, or sinkhole—take precedence over the automated categories provided by the Advanced DNS Security Resolver.
    To maintain optimal performance and security, the Advanced DNS Security Resolver supports multiple custom lists, allowing you to categorize your overrides by department, risk level, or geographic region. It is important to remember that the order of operations matters: custom FQDN list actions are evaluated early in the DNS inspection process. By strategically managing these lists, you can fine-tune the resolver's behavior to provide a balance between strict security enforcement and the necessary access required for your specific network environment.
    1. Log in to the Strata Cloud Manager on the hub.
    2. Select ManageConfigurationADNS ResolverDNS Security Profiles and then go to the Custom FQDN List tab.
    3. You can view your available custom FQDN lists and view the general information about each, including the number of FQDNs contained in a given list and a description. Additionally, you can delete or update each FQDN list that was previously added.
      To create a new custom FQDN list:
      1. Select Create FQDN List and provide a name and, optionally, a description, for the new custom FQDN list:
      2. You can either + Add the FQDNs to be added to the FQDNs List or Import List of existing FQDNs supplied in a text (.txt) file managed by your organization.
      3. Save your custom FQDN list.
      To apply the custom FQDN to a DNS Security Profile:
      1. Select ManageConfigurationADNS Resolver and then go to the DNS Security Profiles tab.
      2. Select a DNS Security profile that you want to apply the custom FQDN list to and select Overrides tab.
      3. From the Custom FQDN List panel, + Add or delete list entries (using the icon) to modify the custom FQDN list as necessary. Keep in mind, only custom FQDN lists that have been previously created can be added.
      4. Select an Action for each custom FQDN list entry.
        • allow—The DNS query is allowed.
        • alert—The DNS query generates an alert. DNS queries that generate an alert are saved in the DNS Security log.
        • block—The DNS query is blocked.
        • sinkhole—Forges a DNS response for a DNS query targeting a detected malicious domain. This directs the resolution of the malicious domain name to a specific IP address (referred to as the Sinkhole IP), which is embedded as the response.
      5. You can add multiple entries by opening additional fields using + Add.
      6. Click Save when finished.

    © 2026 Palo Alto Networks, Inc. All rights reserved.