Test Domains
Focus
Focus
Advanced DNS Security

DNS Security Test Domains

Table of Contents

Test Domains

Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
Palo Alto Networks provides the following DNS Security test domains to validate your policy configuration based on the DNS category.
  1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
    DNS Security
    The test domains marked with an * are not supported in PAN-OS 9.1.
    Advanced DNS Security
    Access the following test domain to verify that the policy action for a given threat type is being enforced:
    The following test domain test cases should be added to your DNS server zone file of testpanw.com before accessing the domain. These test cases match against the Advanced DNS Security signatures and will generate the appropriate logs. Verify that the policy action for a given threat type is being enforced.
    • DNS Misconfiguration Domain (Zone Dangling) Test Cases
      Host
      Record Type
      Record Data
      *.test-dnsmisconfig-zone-dangling.testpanw.com
      A
      1.2.3.4
    • Hijacking Domain Test Cases
      Host
      Record Type
      Record Data
      test-ipv4.hijacking.testpanw.com
      A
      1.2.3.5
      *.test-ipv4-wildcard.hijacking.testpanw.com
      A
      1.2.3.6
      test-ipv6.hijacking.testpanw.com
      AAAA
      2607:f8b0:4005:80d::2005
      test-cname-rrname.hijacking.testpanw.com
      CNAME
      1.test-cname-wc.hijacking.testpanw.com
      test-cname-rrname-wc.hijacking.testpanw.com
      CNAME
      1.test-cname-wildcard-1.hijacking.testpanw.com
      *.test-cname-rrname-sub-wc.hijacking.testpanw.com
      CNAME
      2.test-cname-wc.hijacking.testpanw.com
      test-ns-rrname.hijacking.testpanw.com
      NS
      test-ns.hijacking.testpanw.com
      test-ns-rrname-rdata-wc.hijacking.testpanw.com
      NS
      1.test-ns-wc.hijacking.testpanw.com
      1.test-ns-rrname-sub-wc.hijacking.testpanw.com
      NS
      test-ns.hijacking.testpanw.com
      test-rrname-wc.hijacking.testpanw.com
      NS
      test-ns-2.hijacking.testpanw.com
      For NS records, you must use the following option:"
      dig +trace NS
      "
  2. Verify that the DNS query request has been processed by DNS Security by monitoring the activity.

Recommended For You