The DNS Security service collects server response and request information based on your firewall security policy rules, associated action, and the DNS query details when performing domain lookups. The firewall forwards supplemental DNS data to the DNS Security cloud servers and is used by Palo Alto Networks services to provide more accurate domain information (such as provider ASN, hosting information, and geolocation identification). While this supplemental data is not necessary to operate the DNS Security service, it provides the resources to generate improved analytics, DNS detection, and prevention capabilities. This action occurs in less than 30 seconds after collection and batching does not impact firewall performance. In cases where the firewall is experiencing a high load, DNS data collection scales down as needed to maintain expected performance levels.

The firewall can submit the following data fields:

Data fields that can be used to potentially identify users (Source IP, Source User, and Source Zone) can be withheld from automatic submission using the following CLI command:

set deviceconfig setting ctd cloud-dns-privacy-mask yes

. You must

commit

the changes for the update to take effect.