Traditional Domain Name System (DNS) queries are transmitted in plaintext, leaving enterprise networks vulnerable to eavesdropping and manipulation. To protect the integrity of your security posture and ensure high network privacy, the Advanced DNS Security Resolver now allows DNS over HTTPS (DoH) query processing, allowing you to analyze and categorize the DNS payload contained within encrypted DNS traffic requests. This capability is provided through the Advanced DNS Security Resolver service, managed seamlessly through Strata Cloud Manager. By utilizing DoH, you ensure all DNS resolution is encrypted, preventing malicious actors and external parties from viewing or modifying your critical user traffic.

The Advanced DNS Security Resolver implementation supports both binary and JSON formats through GET and POST endpoints, following RFC standards and operating over HTTP/1.1 and HTTP/2. The service is accessed through a static domain (https://edge-dns.service.paloaltonetworks.com/dns-query) and authenticates users through the source IP validation for campus/branch users connecting directly. This architecture protects sensitive DNS traffic from interception while maintaining compatibility with existing DNS infrastructure, with built-in security measures including rate limiting, token validation, and policy enforcement based on tenant configuration.

Initial support for analysis and categorization of DNS payloads contained within DoH requests is limited to campus/branch environments that have been registered as connection sources in Strata Cloud Manager.