>
    Strata Copilot
    Configure DNS Security Over TLS
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure DNS Security Subscription Services
    4. Configure DNS Security Over TLS
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Configure DNS Security Over TLS

    Table of Contents

    Configure DNS Security Over TLS

    Inspect encrypted DNS over TLS (DoT) by enabling SSL Decryption. Target port 853 to decrypt payloads, allowing DNS Security to apply Anti-Spyware profiles and block malicious queries.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • NGFW
    • VM-Series
    • CN-Series
    • Advanced DNS Security License (for enhanced feature support) or DNS Security License
    • Advanced Threat Prevention or Threat Prevention License
    To maintain full visibility and control over modern encrypted traffic, the firewall can inspect DNS over TLS (DoT) requests. While encryption normally prevents the NGFW from seeing the destination of a DNS query, enabling SSL Decryption allows the firewall to intercept and decrypt the packet payload. Once decrypted, the DNS request is handed off to DNS Security, where it is evaluated against your Anti-Spyware profile and DNS policy settings just like standard plaintext DNS traffic.
    When a DNS request is identified as originating from a TLS source (typically using TCP port 853), the firewall processes it according to your configured security rules. If a threat is detected or a domain is blocked, the event is recorded in the Threat Logs. To specifically isolate and monitor these encrypted queries, you can filter your logs for traffic where the Destination Port is 853. This visibility is essential for identifying sophisticated malware techniques that attempt to bypass traditional security controls by hiding malicious lookups within encrypted tunnels.
    To ensure this inspection occurs, you must configure a Decryption Policy rule that targets the dns-over-tls application. Without a valid decryption rule, DoT traffic will bypass DNS Security inspection and appear in the traffic logs as generic encrypted data. By successfully decrypting this traffic, you ensure that your DNS-layer protections, including sinkholing and domain categorization.

    Configure DNS Security Over TLS (Strata Cloud Manager)

    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager application on the hub.
    2. Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same DNS Policies settings for DNS Security over TLS traffic.
    3. Create a decryption policy rule with an action to decrypt HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in the logs appear as conventional dns-base applications.
    4. (Optional) Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security.
      1. Select Log Viewer and use the drop down to filter the logs based on the Threat log type. Use the query builder to filter based on the application using dns-base and port 853 (which is exclusively used for DNS Security over TLS transactions), for example, app = 'dns-base' AND source_port = 853.
      2. Select a log entry to view the details of the detected DNS threat.
      3. The Application should display dns-base in the General pane and the Port in the Source pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding tabs.

    Configure DNS Security Over TLS (NGFW (Managed by PAN-OS or Panorama))

    1. Log in to the NGFW.
    2. Enable DNS Security is configured to inspect DNS requests. You can use your existing security profile if you want to use the same DNS Policies settings for DNS Security over TLS traffic.
    3. Create a decryption policy rule (similar to the example below) with an action to decrypt HTTPS traffic on port 853, which includes DNS Security over TLS traffic (refer to the Decryption Best Practices for more information). When DNS Security over TLS traffic is decrypted, the resulting DNS requests in the logs appear as conventional dns-base applications.
    4. (Optional) Search for activity on the firewall for decrypted TLS-encrypted DNS queries that have been processed using DNS Security.
      1. Select MonitorLogsTraffic and filter based on the application using dns-base and port 853 (which is exclusively used for DNS Security over TLS transactions), for example, ( app eq dns-base ) and ( port.src eq 853 ).
      2. Select a log entry to view the details of a detected DNS threat.
      3. The Application should display dns-base in the General pane and the Port in the Source pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.

    © 2026 Palo Alto Networks, Inc. All rights reserved.