Advanced DNS Security Powered by Precision AI™
Configure Lookup Timeout
Table of Contents
Configure Lookup Timeout
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
DNS Security
If the firewall is unable to retrieve a signature verdict in the allotted time
due to connectivity issues, the request, including all subsequent DNS responses,
are passed through. You can check the average latency to verify that requests
fall within the configured period. If the average latency exceeds the configured
period, consider updating the setting to a value that is higher than the average
latency to prevent requests from timing out.
- In the CLI, issue the following command to view the average latency.show dns-proxy dns-signature countersThe default timeout is 100 milliseconds.
- Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.Signature query API: . . . [latency ] : max 1870 (ms) min 16(ms) avg 27(ms) 50 or less : 47246 100 or less : 113 200 or less : 25 400 or less : 15 else : 21
- If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. SelectDevice > Content-IDand update theRealtime Signature Lookupsetting.
- Commit the changes.
Advanced DNS Security
- View the record of round trip times (in milliseconds) for Advanced DNS Security requests using the following debug CLI command. These are distributed into latency brackets from 0ms to 450ms. You can use this to determine the ideal max latency setting for your NGFW.admin@PA-VM debug dataplane show ctd feature-forward statsIn the response output, navigate to the sectionPAN_CTDF_DETECT_SERVICE_ADNS.PAN_CTDF_DETECT_SERVICE_ADNS cli_timeout: 1 req_total: 2 req_timed_out: 0 Hold: adns rtt>=0ms: 0 adns rtt>=50ms: 2 adns rtt>=100ms: 0 adns rtt>=150ms: 0 adns rtt>=200ms: 0 adns rtt>=250ms: 0 adns rtt>=300ms: 0 adns rtt>=350ms: 0 adns rtt>=400ms: 0 adns rtt>=450ms: 0
- Configure the maximum Advanced DNS signature lookup timeout setting. When this value is exceeded, the DNS response passes through without performing analysis using Advanced DNS Security. DNS signatures (and their associated policies) that are delivered through regular content updates or are part of configured EDLs (external dynamic lists) or DNS exceptions are still applied.
![]()
- Select .
- Specify an updated maximum Advanced DNS signature lookup timeout setting in milliseconds. The default is 100ms and is the recommended setting.
- ClickOKto confirm your changes.
Alternatively, you can use the following CLI command to configure the Advanced DNS Security timeout value. You can set a value of 100-15,000ms in 100ms increments. The default value is 100ms and is the recommended setting.admin@PA-VM#set deviceconfig setting adns-setting max-latency <timeout_value_in_milliseconds>For example:admin@PA-VM# set deviceconfig setting adns-setting max-latency 500You can check the current timeout configuration using the following CLI command (refer to themax-latencyentry of the output).admin@PA-VMshow config pushed-template... } deviceconfig { setting { dns { dns-cloud-server dns-qa.service.paloaltonetworks.com; } adns-setting { max-latency 100; } } } ...
