The DNS Security service collects
server response and request information based on your firewall security
policy rules, associated action, and the DNS query details when performing
domain lookups. The firewall forwards the DNS data in less than
30 seconds after collection and batching does not impact firewall
performance. In cases where the firewall is experiencing a high
load, DNS data collection scales down as needed to maintain expected
performance levels. Palo Alto Networks uses this data to provide
more accurate domain information (such as provider ASN, hosting
information, and geolocation identification) to generate improved
analytics, DNS detection, and prevention capabilities.
The firewall can submit the following data fields:
Displays the policy action taken on the
Displays the DNS record type.
The IP address that the domain in the DNS
query got resolved to.
The DNS response code that was received
as an answer to your DNS query.
The IP address of the system that made the
When the firewall User-ID feature is enabled,
the identity of the DNS requester is shown.
The configured source zone referenced in
your security policy rule.
DNS expanded data collection is bypassed for domains added
to the Allow list in DNS Exceptions.
Data fields that can be used to potentially identify users (Source
IP, Source User, and Source Zone) can be withheld from automatic
submission using the following CLI command:
set deviceconfig setting ctd cloud-dns-privacy-mask yes