Configure DNS-Over-DoH

Where Can I Use This?
What Do I Need?
  • Prisma Access
  • NGFW
  • DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
You can analyze and categorize the DNS payload contained within encrypted DNS traffic requests to DNS hosts using HTTPS (DoH—[DNS-over-HTTPS]). If your organization currently blocks all DoH requests as Palo Alto Networks recommends, you can transition away from that policy as DNS Security now enables you extract the DNS hostname from the encrypted request and apply your organization’s existing DNS Security policies. This allows you to safety access more websites as support for DoH widens. DNS Security support for DoH is enabled by configuring the firewall to decrypt the payload of DNS requests originating from a user-specified list of DNS resolvers, providing support for a range of server options. The decrypted DNS payload can then be processed using the Anti-spyware profile configuration containing your DNS policy configuration. DNS requests that have been determined to be DoH are labeled as
dns-over-https
in the traffic logs.

Recommended For You