DNS Security Signature Categories

DNS Security Categories allows you to create precise security actions based on the threat posture of a domain type.
The DNS Security Service provides individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This enables you to create discrete, precise security actions based on the threat posture of a domain type according to your network security protocols. The DNS signature source definitions are extensible through PAN-OS content releases so, when new DNS Security analyzers are introduced, you are able to create specific policies based on the nature of the threat.
The default settings for each DNS signature source is defined based on the previous setting of the
Palo Alto Networks Cloud DNS Security
signature source action. If you want to change any of the defaults, review the process below. If you have not previously used this feature, Enable DNS Security to secure your DNS traffic.
  1. Select
    Security Profiles
    and select a profile to modify.
  2. Select
    DNS Policies
    to modify the signature source configuration.
  3. In the
    Signature Source
    table, scroll to
    DNS Security
    and select a log severity, policy action, and packet capture setting for each signature source type.
    There are five signature types available for configuration:
    • Command and Control Domains
    • Malware Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Dynamic DNS Hosted Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Recently Registered Domains
    • (
      PAN-OS 10.0 and later versions only
      ) Phishing Domains
    • The Dynamic DNS Hosted Domains, Recently Registered Domains, and Phishing Domains signature sources are introduced in PAN-OS 10.0.
    • The
      Benign Domains
      signature source category is non-operational and will be phased out in an upcoming release.
  4. Click
    to save the Anti-Spyware profile and
    your changes.
See Enable DNS Security for information about testing policy actions, monitoring DNS activity, and creating DNS signature exceptions.

Recommended For You