Advanced DNS Security Powered by Precision AI™
Configure Lookup Timeout
Table of Contents
Configure Lookup Timeout
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
DNS Security
If the firewall is unable to retrieve a signature verdict in the allotted time
due to connectivity issues, the request, including all subsequent DNS responses,
are passed through. You can check the average latency to verify that requests
fall within the configured period. If the average latency exceeds the configured
period, consider updating the setting to a value that is higher than the average
latency to prevent requests from timing out.
- In the CLI, issue the following command to view the average latency.
show dns-proxy dns-signature countersThe default timeout is 100 milliseconds.Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.Signature query API: . . . [latency ] : max 1870 (ms) min 16(ms) avg 27(ms) 50 or less : 47246 100 or less : 113 200 or less : 25 400 or less : 15 else : 21If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. Select Device > Content-ID and update the Realtime Signature Lookup setting.Commit the changes.Advanced DNS Security
- View the record of round trip times (in milliseconds) for Advanced DNS Security requests using the following debug CLI command. These are distributed into latency brackets from 0ms to 450ms. You can use this to determine the ideal max latency setting for your NGFW.
admin@PA-VM debug dataplane show ctd feature-forward stats
In the response output, navigate to the section PAN_CTDF_DETECT_SERVICE_ADNS.PAN_CTDF_DETECT_SERVICE_ADNS cli_timeout: 1 req_total: 2 req_timed_out: 0 Hold: adns rtt>=0ms: 0 adns rtt>=50ms: 2 adns rtt>=100ms: 0 adns rtt>=150ms: 0 adns rtt>=200ms: 0 adns rtt>=250ms: 0 adns rtt>=300ms: 0 adns rtt>=350ms: 0 adns rtt>=400ms: 0 adns rtt>=450ms: 0
Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced DNS Security. DNS signatures (and their associated policies) that are delivered through regular content updates or are part of configured EDLs (external dynamic lists) or DNS exceptions are still applied.![]()
- Select .Specify an updated maximum Advanced DNS signature lookup timeout setting in milliseconds. The default is 100ms and is the recommended setting.Click OK to confirm your changes.Alternatively, you can use the following CLI command to configure the Advanced DNS Security timeout value. You can set a value of 100-15,000ms in 100ms increments. The default value is 100ms and is the recommended setting.
admin@PA-VM#set deviceconfig setting adns-setting max-latency <timeout_value_in_milliseconds>For example:admin@PA-VM# set deviceconfig setting adns-setting max-latency 500
You can check the current timeout configuration using the following CLI command (refer to the max-latency entry of the output).admin@PA-VM show config pushed-template ... } deviceconfig { setting { dns { dns-cloud-server dns-qa.service.paloaltonetworks.com; } adns-setting { max-latency 100; } } } ...
