Automatically secure your DNS traffic by using Palo Alto Networks Advanced DNS Security Powered by Precision AI, a cloud-based analytics platform providing your firewall with access to DNS signatures generated using advanced predictive analysis and machine learning, with malicious domain data from a growing threat intelligence sharing community as well as domain detectors that inspect changes in DNS responses to detect various types of DNS hijacking in real-time.
What's New
| 29 January 2025 | Advanced DNS Security now supports Dangling Web And App Domain Detection to combat a rising threat in enterprise environments. Websites often rely on links to external third-party resources. When these external domains expire, they become dangling assets that threat actors can quickly re-register to host malicious payloads. This tactic allows attackers to serve malware or execute cross-site scripting (XSS) attacks through what appear to be legitimate, trusted business sites. To neutralize this risk, the Advanced DNS Security and Advanced DNS Security Resolver services now proactively identify and block DNS requests directed at these expired, high-risk domains. By intercepting the threat at the DNS resolution layer, the system ensures a secure perimeter is maintained before a network connection can ever be established. |
| 28 January 2025 | Palo Alto Networks is migrating its cloud infrastructure for Advanced DNS Security. The existing Bahrain region is being decommissioned and replaced with a new service region in Qatar, using the following FQDN: dns-qat.service.paloaltonetworks.com. |
| 13 January 2025 | The DNS Security Resolver now provides access to a new domain category for content-based DNS signature sources: file-converter. These sites were previously grouped generically under Computer and Internet Info, but now, you can now apply a discrete policy action for the file-converter domain category, allowing you to block a more specific range of websites. |
| 19 December 2025 | The Advanced DNS Security Resolver now allows you to create and manage custom FQDN lists that are independent of DNS Security profiles. Administrators can now apply specific enforcement actions including allow, block, alert, or sinkhole to domains defined in these custom FQDN lists. This capability enables precise control over DNS-based security, allowing organizations to stop communication with custom-identified malicious domains and ensure compliance while strengthening defenses against sophisticated DNS attacks. |
| 19 December 2025 | The Advanced DNS Security Resolver now allows you to configure Advanced DNS Security Resolver external dynamic lists to automatically include all subdomains associated with a specific domain entry. This ensures that your security policies apply consistently across the entire domain hierarchy without requiring you to manually define wildcard entries. |
| 08 December 2025 | The Advanced DNS Security Resolver now provides support for Prisma® Access Agent connection sources. This allows users defined in your Prisma Access Agent configuration to forward DNS traffic to the Palo Alto Networks Advanced DNS Security Resolver over encrypted HTTPS (DoH) to maintain security visibility and control, providing DNS-based threat protection when the primary VPN tunnel is disconnected or unavailable. |
| 31 October 2025 | The Advanced DNS Security Resolver now provides DNS over HTTPS (DoH) query processing, allowing you to analyze and categorize the DNS payload contained within encrypted DNS traffic requests. |
| 18 September 2025 | PAN-OS 11.2.9 and later releases provide consolidated service domains for Advanced DNS Security and DNS Security subscription services and the ability to allow users to manually select their preferred regional FQDN settings. This creates a more unified and predictable experience for your DNS security services as it establishes a consistent DNS security inspection process by ensuring both request and response traffic follow the same regional routing path. |
| 28 August 2025 | DNS Security now supports a new log type specifically tailored for DNS Security events, enhancing visibility and reporting for both benign and malicious DNS traffic, while also providing comprehensive DNS transaction details, including query and response information. |
| 23 July 2025 | The Advanced DNS Resolver service is a new subscription offering by Palo Alto Networks that provides cloud-based DNS resolution and inspection capabilities. This service allows you to forward your internet-bound DNS requests to a secure resolver managed by Palo Alto Networks, offering both domain-to-IP resolution and protection against DNS-based threats based on the Advanced DNS Security cloud service. |
| 6 June 2025 | The DNS Security DNS tunnel detector can now minimize data leakage by evaluating individual DNS queries in real-time, enabling it to identify malicious tunneling activity from the very first query to the last. Additional configuration is not required if you have already enabled DNS Security and defined a policy action for Command and Control Domains, which is the parent category for the existing DNS Tunnel Detection DNS threat category. For more information about the DNS tunnel detector enhancements, refer to: Closing the Gap in DNS Security: Palo Alto Networks' Innovative Approach to Immediate Tunneling Detection. |
| 6 June 2025 | Palo Alto Networks now provides access to a secondary FQDN (dns-cn.service.paloaltonetworks.com) for Advanced DNS Security customers in China. This FQDN has an alternative certificate configuration that can help address connectivity issues that might occur when accessing the service from China. |
| 26 March 2025 | Palo Alto Networks now provides access to two additional service regions for DNS Security and Advanced DNS Security operations, located in Tel Aviv, Israel and Seoul, South Korea. Typically, the default global service domain automatically connects you to the nearest service provider. However, if you want to override the automatically selected server, you can manually specify the server used to facilitate DNS Security and Advanced DNS Security queries. |
| 27 March 2025 | Palo Alto Networks now provides an updated DNS sinkhole service IP as part of its security infrastructure enhancements. For most users, the transition is automatic, as the default setting uses the FQDN: (sinkhole.paloaltonetworks.com). However, if you manually configured the settings to use a static Palo Alto Networks Sinkhole IP instead of the default FQDN, you must update your configurations accordingly. For more information on the sinkhole service update, refer to: LiveCommunity Blog |
| 31 January 2025 | DNS Security now provides support for Domain Masquerading detection. |
| 31 January 2025 | DNS Security now provides support for Malicious TDS detection. |
| 24 July 2024 | Threat log entries for DNS stockpiled domains analyzed by DNS Security now display the associated campaign details, context, and techniques used by attackers. This is reflected in the Threat ID/Name field for the log entry for a DNS stockpiled domain. |
| 13 May 2024 | Threat log entries for DNS tunneling domains analyzed by DNS Security, including tunneling-based APTs, now display the tunneling tools and attack campaigns associated with the domain. This is reflected in the Threat ID/Name field for the log entry for a DNS tunneling domain. |
| 02 May 2024 | The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can configure your firewall to detect and block DNS responses from hijacked domains and misconfigured domains. |
Important Resources
Translated Documents
-
日本語 (Japanese)
-
中文 (Chinese Simplified)
-
繁體中文 (Chinese Traditional)
-
Español (Spanish)
-
Français (French)