When you use DNS on your operating systems and web browsers, you can encrypt the DNS traffic to help maintain privacy and protect traffic from meddler (MitM) attacks. If you configure your PAN-OS firewall to act as a DNS proxy, you can enable encrypted DNS and configure the DNS proxy to accept one or more types of DNS communication from the client: DNS-over-HTTP (DoH), DNS-over-TLS (DoT), or cleartext.

To enforce encryption, you specify the type of encryption that the DNS proxy should use to communicate with DNS servers. If a DNS server rejects encrypted DNS or the DNS proxy does not receive a response from the primary or secondary server within the timeout period, you can configure the DNS proxy to fall back to unencrypted DNS communications with the server.

Additionally, you can enable encrypted DNS on the management interface of the firewall so that DNS requests use DoH, DoT, or fall back to unencrypted DNS.