Create or update a security policy rule and reference a
DNS Security profile and a custom URL category list (
Manage
Configuration
PAN-OS and
Prisma Access
Security Services
URL Access Management
) containing the approved list of DoH servers.
Create a block policy to decrypt HTTPS traffic and block all
remaining unsanctioned DoH traffic that is not explicitly allowed by the custom
URL category list (referenced in step 5) by using the App-ID:
dns-over-https
and the following URL category:
encrypted-dns
.
If you already have an existing block policy to block DoH traffic, verify
that the rule is placed below the previous security policy rule used to
match with specific DoH resolvers listed in a custom URL category list
object.
(Optional) Search for activity on the firewall for HTTPS-encrypted
DNS queries that have been processed using DNS Security.
Select
Activity
Logs
Log Viewer
and
select
Threat
.
Submit a log query based on the application, using
dns-over-https
,
for example,
app = 'dns-over-https'
.
Select a log entry to view the details of a detected
DNS threat that uses DoH.
The threat
Application
is displayed
in the
General
pane of the detailed log view.
Other relevant details about the threat are displayed in their corresponding
windows.