You can analyze and categorize the DNS payload
contained within encrypted DNS traffic requests to DNS hosts using
HTTPS (DoH—[DNS-over-HTTPS]). If your organization currently blocks
all DoH requests as Palo Alto Networks recommends, you can transition
away from that policy as DNS Security now enables you extract the
DNS hostname from the encrypted request and apply your organization’s
existing DNS Security policies. This allows you to safety access
more websites as support for DoH widens. DNS Security support for
DoH is enabled by configuring the firewall to decrypt the payload
of DNS requests originating from a user-specified list of DNS resolvers,
providing support for a range of server options. The decrypted DNS
payload can then be processed using the Anti-spyware profile configuration
containing your DNS policy configuration. DNS requests that have
been determined to be DoH are labeled as
dns-over-https
in
the traffic logs.