Test Domains

Table of Contents

Create Domain Exceptions and Allow | Block Lists

Test Connectivity to the DNS Security Cloud Services

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series	Advanced DNS Security License (for enhanced feature support) or DNS Security License Advanced Threat Prevention or Threat Prevention License

Palo Alto Networks provides the following DNS Security test domains to validate your policy configuration based on the DNS category.

Access the following test domains to verify that the policy action for a given threat type is being enforced:

DNS Security

C2—test-c2.testpanw.com
DNS Tunneling—test-dnstun.testpanw.com
DGA—test-dga.testpanw.com
Dynamic DNS*—test-ddns.testpanw.com
Malware—test-malware.testpanw.com
Newly Registered Domains*—test-nrd.testpanw.com
Phishing*—test-phishing.testpanw.com
Grayware*—test-grayware.testpanw.com
Parked*—test-parked.testpanw.com
Proxy Avoidance and Anonymizers*—test-proxy.testpanw.com
Fast Flux*—test-fastflux.testpanw.com
Malicious NRD*—test-malicious-nrd.testpanw.com
NXNS Attack*—test-nxns.testpanw.com
Dangling*—test-dangling-domain.testpanw.com
DNS Rebinding*—test-dns-rebinding.testpanw.com
DNS Infiltration*—test-dns-infiltration.testpanw.com
Wildcard Abuse*—test-wildcard-abuse.testpanw.com
Strategically-Aged*—test-strategically-aged.testpanw.com
Compromised DNS*—test-compromised-dns.testpanw.com
Ad Tracking*—test-adtracking.testpanw.com
CNAME Cloaking*—test-cname-cloaking.testpanw.com
Ransomware*—test-ransomware.testpanw.com
Stockpile*—test-stockpile-domain.testpanw.com
Cybersquatting*—test-squatting.testpanw.com
Subdomain Reputation*—test-subdomain-reputation.testpanw.com

The test domains marked with an * are not supported in PAN-OS 9.1.

Advanced DNS Security

Access the following test domain to verify that the policy action for a given threat type is being enforced:

DNS Misconfiguration Domain (Claimable)—http://test-dnsmisconfig-claimable-nx.testpanw.com

The following test domain test cases should be added to your DNS server zone file of testpanw.com before accessing the domain. These test cases match against the Advanced DNS Security signatures and will generate the appropriate logs. Verify that the policy action for a given threat type is being enforced.

DNS Misconfiguration Domain (Zone Dangling) Test Cases

Host	Record Type	Record Data
*.test-dnsmisconfig-zone-dangling.testpanw.com	A	1.2.3.4

Hijacking Domain Test Cases

Host	Record Type	Record Data
test-ipv4.hijacking.testpanw.com	A	1.2.3.5
*.test-ipv4-wildcard.hijacking.testpanw.com	A	1.2.3.6
test-ipv6.hijacking.testpanw.com	AAAA	2607:f8b0:4005:80d::2005
test-cname-rrname.hijacking.testpanw.com	CNAME	1.test-cname-wc.hijacking.testpanw.com
test-cname-rrname-wc.hijacking.testpanw.com	CNAME	1.test-cname-wildcard-1.hijacking.testpanw.com
*.test-cname-rrname-sub-wc.hijacking.testpanw.com	CNAME	2.test-cname-wc.hijacking.testpanw.com
test-ns-rrname.hijacking.testpanw.com	NS	test-ns.hijacking.testpanw.com
test-ns-rrname-rdata-wc.hijacking.testpanw.com	NS	1.test-ns-wc.hijacking.testpanw.com
1.test-ns-rrname-sub-wc.hijacking.testpanw.com	NS	test-ns.hijacking.testpanw.com
test-rrname-wc.hijacking.testpanw.com	NS	test-ns-2.hijacking.testpanw.com
For NS records, you must use the following option:"dig +trace NS"

Verify that the DNS query request has been processed by DNS Security by monitoring the activity.

Create Domain Exceptions and Allow | Block Lists

Test Connectivity to the DNS Security Cloud Services

Advanced DNS Security

Test Domains

Advanced DNS Security

Test Domains

DNS Misconfiguration Domain (Zone Dangling) Test Cases

Hijacking Domain Test Cases

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Technical Documentation

Company

Legal Notices