Security administrators often require precise and immediate control over domain resolution that extends beyond the default threat intelligence feeds and broad domain categories. Previously, when using the Advanced DNS Security Resolver, you could only configure Fully Qualified Domain Names (FQDNs) to be explicitly set as 'allowable' domains with an association with a specific DNS Security profile. This limitation prevented the granular enforcement of diverse actions (like blocking or sinkholing) on custom domain lists unique to a network’s immediate threat posture or specific compliance needs. Additionally, replicating these FQDNs across multiple security profiles required manual re-entry, which could consume a significant amount of time.

The introduction of Custom Domain List Support for the Advanced DNS Security Resolver solves this critical challenge by providing administrators with control over security policy enforcement. This enhancement allows you to create and manage custom FQDN lists that are not tied to a DNS Security profile and apply explicit security actions to them.

You can now apply specific enforcement actions, including allow, block, alert or sinkhole, to domains defined in your referable custom FQDN lists. This capability is essential for stopping communication with internal or custom-identified command-and-control (C2) domains, and other malicious domains, or ensuring strict adherence to unique organizational compliance lists. By defining explicit security actions for customized FQDN lists, you strengthen your first line of defense against sophisticated, DNS-based attacks.

Mobile Users with Prisma® Access Agents might need to disconnect the agent app due to various issues, such as connectivity or performance problems, customer site restrictions, or when accessing sanctioned applications directly. This creates security gaps due to the lack of security inspection for internet or Software as a Service (SaaS) traffic. Advanced DNS Security Resolver addresses this challenge by providing DNS security for Prisma Access Agent users whenever the user is disconnected from Prisma Access Agent, ensuring security protections remain in place at all times.

When you enable Advanced DNS Security Resolver for Prisma Access Agents, the agent routes DNS traffic to Palo Alto Networks DNS resolvers over HTTPS (DoH) whenever the primary tunnel connection is disconnected. The feature intercepts DNS queries and forwards them through encrypted connections, ensuring visibility and control over DNS requests even when users disconnect from the tunnel. The service supports user-authenticated modes, with long-lived device tokens valid for up to six months.

With this feature, forwarding of traffic to Advanced DNS Security Resolver relies on the same forwarding profiles the agent receives, giving you full control over what DNS traffic is resolved through Advanced DNS Security Resolver and what is allowed to go direct. The feature provides threat protection by blocking malicious domains using DNS Security for DNS requests, and user-specific, administrator-configured DNS Security policies you add to Advanced DNS Security Resolver. You can deploy Advanced DNS Security Resolver for Prisma Access Agent as a fallback mechanism that activates when primary tunnel connections are disrupted.