DNS Security Data Collection and Logging

The DNS Security service collects server response and request information based on your firewall security policy rules, associated action, and the DNS query details when performing domain lookups. The firewall forwards supplemental DNS data to the DNS Security cloud servers and is used by Palo Alto Networks services to provide more accurate domain information (such as provider ASN, hosting information, and geolocation identification). While this supplemental data is not necessary to operate the DNS Security service, it provides the resources to generate improved analytics, DNS detection, and prevention capabilities. This action occurs in less than 30 seconds after collection and batching does not impact firewall performance. In cases where the firewall is experiencing a high load, DNS data collection scales down as needed to maintain expected performance levels.
The firewall can submit the following data fields:
Field
Description
Action
Displays the policy action taken on the DNS query.
Type
Displays the DNS record type.
Response
The IP address that the domain in the DNS query got resolved to.
Response Code
The DNS response code that was received as an answer to your DNS query.
Source IP
The IP address of the system that made the DNS request.
Source User
When the firewall User-ID feature is enabled, the identity of the DNS requester is shown.
Source Zone
The configured source zone referenced in your security policy rule.
DNS expanded data collection is bypassed for domains added to the Allow list in DNS Exceptions.
Data fields that can be used to potentially identify users (Source IP, Source User, and Source Zone) can be withheld from automatic submission using the following CLI command:
set deviceconfig setting ctd cloud-dns-privacy-mask yes
. You must
commit
the changes for the update to take effect.

Recommended For You