PAN-OS 10.0 and later supports individually
configurable DNS signature sources, which enables you to define
separate policy actions as well as a log severity level for a given
signature source. This enables you to create discrete, precise security
actions based on the threat posture of a domain type according to
your network security protocols. The DNS signature source definitions
are extensible through PAN-OS content releases so, when new DNS Security
analyzers are introduced, you are able to create specific policies
based on the nature of the threat.Upon upgrade to PAN-OS 10.0 and
later, the DNS Security source gets redefined into new categories
to provide extended granular controls; as a result, the new categories
will overwrite the previously defined action and acquire default
settings. Make sure to reapply any sinkhole, log severity, and packet
captures settings appropriate for the newly defined DNS Security
Categories.
