Focus

Advanced DNS Security Powered by Precision AI™

DNS Security Test Domains

Table of Contents

Create Domain Exceptions and Allow | Block Lists

Test Connectivity to the DNS Security Cloud Services

Test Domains

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series	Advanced DNS Security License (for enhanced feature support) or DNS Security License Advanced Threat Prevention or Threat Prevention License

Palo Alto Networks provides the following DNS Security test domains to validate your policy configuration based on the DNS category.

Access the following test domains to verify that the policy action for a given threat type is being enforced:

DNS Security

C2—test-c2.testpanw.com

DNS Tunneling—test-dnstun.testpanw.com

DGA—test-dga.testpanw.com

Dynamic DNS*—test-ddns.testpanw.com

Malware—test-malware.testpanw.com

Newly Registered Domains*—test-nrd.testpanw.com

Phishing*—test-phishing.testpanw.com

Grayware*—test-grayware.testpanw.com

Parked*—test-parked.testpanw.com

Proxy Avoidance and Anonymizers*—test-proxy.testpanw.com

Fast Flux*—test-fastflux.testpanw.com

Malicious NRD*—test-malicious-nrd.testpanw.com

NXNS Attack*—test-nxns.testpanw.com

Dangling*—test-dangling-domain.testpanw.com

DNS Rebinding*—test-dns-rebinding.testpanw.com

DNS Infiltration*—test-dns-infiltration.testpanw.com

Wildcard Abuse*—test-wildcard-abuse.testpanw.com

Strategically-Aged*—test-strategically-aged.testpanw.com

Compromised DNS*—test-compromised-dns.testpanw.com

Ad Tracking*—test-adtracking.testpanw.com

CNAME Cloaking*—test-cname-cloaking.testpanw.com

Ransomware*—test-ransomware.testpanw.com

Stockpile*—test-stockpile-domain.testpanw.com

Cybersquatting*—test-squatting.testpanw.com

Subdomain Reputation*—test-subdomain-reputation.testpanw.com

The test domains marked with an * are not supported in PAN-OS 9.1.

Advanced DNS Security

Access the following test domain to verify that the policy action for a given threat type is being enforced:

DNS Misconfiguration Domain
(Claimable)—http://test-dnsmisconfig-claimable-nx.testpanw.com

The following test domain test cases should be added to your DNS server zone file of testpanw.com before accessing the domain. These test cases match against the Advanced DNS Security signatures and will generate the appropriate logs. Verify that the policy action for a given threat type is being enforced.

DNS Misconfiguration Domain (Zone Dangling) Test Cases
Host	Record Type	Record Data
*.test-dnsmisconfig-zone-dangling.testpanw.com	A	1.2.3.4

Hijacking Domain Test Cases
Host	Record Type	Record Data
test-ipv4.hijacking.testpanw.com	A	1.2.3.5
*.test-ipv4-wildcard.hijacking.testpanw.com	A	1.2.3.6
test-ipv6.hijacking.testpanw.com	AAAA	2607:f8b0:4005:80d::2005
test-cname-rrname.hijacking.testpanw.com	CNAME	1.test-cname-wc.hijacking.testpanw.com
test-cname-rrname-wc.hijacking.testpanw.com	CNAME	1.test-cname-wildcard-1.hijacking.testpanw.com
*.test-cname-rrname-sub-wc.hijacking.testpanw.com	CNAME	2.test-cname-wc.hijacking.testpanw.com
test-ns-rrname.hijacking.testpanw.com	NS	test-ns.hijacking.testpanw.com
test-ns-rrname-rdata-wc.hijacking.testpanw.com	NS	1.test-ns-wc.hijacking.testpanw.com
1.test-ns-rrname-sub-wc.hijacking.testpanw.com	NS	test-ns.hijacking.testpanw.com
test-rrname-wc.hijacking.testpanw.com	NS	test-ns-2.hijacking.testpanw.com
For NS records, you must use the following option:"dig +trace NS "

Verify that the DNS query request has been processed by DNS Security by monitoring the activity.

Create Domain Exceptions and Allow | Block Lists

Test Connectivity to the DNS Security Cloud Services

Advanced DNS Security

DNS Security Test Domains

Advanced DNS Security

Test Domains

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices