Advanced DNS Security Powered by Precision AI®
Test Domains
Table of Contents
Expand All
|
Collapse All
Advanced DNS Security
Test Domains
Verify your policies using DNS Security test domains. Safely simulate malware, C2, and
phishing hits to ensure your Anti-Spyware profiles and actions trigger
correctly.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To ensure your security policies are correctly intercepting and enforcing actions on
malicious traffic, Palo Alto Networks provides a set of dedicated DNS Security
test domains. These domains allow you to safely simulate hits for specific
threat categories—such as malware, command-and-control (C2), or phishing—without
exposing your network to actual malicious content.
By attempting to resolve these domains from a client behind the firewall, you can
verify that your Anti-Spyware profile is correctly attached to your security
policy and that the designated action (such as Alert, Block, or
Sinkhole) is being triggered.
- Access the following test domains to verify that the policy action for a given threat type is being enforced:
- DNS Tunneling—test-dnstun.testpanw.com
- Dynamic DNS*—test-ddns.testpanw.com
- Malware—test-malware.testpanw.com
- Newly Registered Domains*—test-nrd.testpanw.com
- Phishing*—test-phishing.testpanw.com
- Grayware*—test-grayware.testpanw.com
- Parked*—test-parked.testpanw.com
- Proxy Avoidance and Anonymizers*—test-proxy.testpanw.com
- Fast Flux*—test-fastflux.testpanw.com
- Malicious NRD*—test-malicious-nrd.testpanw.com
- NXNS Attack*—test-nxns.testpanw.com
- Dangling*—test-dangling-domain.testpanw.com
- DNS Rebinding*—test-dns-rebinding.testpanw.com
- DNS Infiltration*—test-dns-infiltration.testpanw.com
- Wildcard Abuse*—test-wildcard-abuse.testpanw.com
- Strategically-Aged*—test-strategically-aged.testpanw.com
- Compromised DNS*—test-compromised-dns.testpanw.com
- Ad Tracking*—test-adtracking.testpanw.com
- CNAME Cloaking*—test-cname-cloaking.testpanw.com
- Ransomware*—test-ransomware.testpanw.com
- Stockpile*—test-stockpile-domain.testpanw.com
- Cybersquatting*—test-squatting.testpanw.com
- Subdomain Reputation*—test-subdomain-reputation.testpanw.com
- Fake/Malicious Software Hosting Domains*—test-fake-software.testpanw.com
The test domains marked with an * are not supported in PAN-OS 9.1.Access the following test domain to verify that the policy action for a given threat type is being enforced:- DNS Misconfiguration Domain (Claimable)—http://test-dnsmisconfig-claimable-nx.testpanw.com
The following test domain test cases should be added to your DNS server zone file of testpanw.com before accessing the domain. These test cases match against the Advanced DNS Security signatures and will generate the appropriate logs. Verify that the policy action for a given threat type is being enforced.-
DNS Misconfiguration Domain (Zone Dangling) Test Cases HostRecord TypeRecord Data*.test-dnsmisconfig-zone-dangling.testpanw.comA1.2.3.4 -
Hijacking Domain Test Cases HostRecord TypeRecord Datatest-ipv4.hijacking.testpanw.comA1.2.3.5*.test-ipv4-wildcard.hijacking.testpanw.comA1.2.3.6test-ipv6.hijacking.testpanw.comAAAA2607:f8b0:4005:80d::2005test-cname-rrname.hijacking.testpanw.comCNAME1.test-cname-wc.hijacking.testpanw.comtest-cname-rrname-wc.hijacking.testpanw.comCNAME1.test-cname-wildcard-1.hijacking.testpanw.com*.test-cname-rrname-sub-wc.hijacking.testpanw.comCNAME2.test-cname-wc.hijacking.testpanw.comtest-ns-rrname.hijacking.testpanw.comNStest-ns.hijacking.testpanw.comtest-ns-rrname-rdata-wc.hijacking.testpanw.comNS1.test-ns-wc.hijacking.testpanw.com1.test-ns-rrname-sub-wc.hijacking.testpanw.comNStest-ns.hijacking.testpanw.comtest-rrname-wc.hijacking.testpanw.comNStest-ns-2.hijacking.testpanw.comFor NS records, you must use the following option:"dig +trace NS"
Verify that the DNS query request has been processed by DNS Security by monitoring the activity.