The DNS Security service collects
server response and request information based on your firewall security
policy rules, associated action, and the DNS query details when
performing domain lookups. The firewall forwards supplemental DNS
data to the DNS Security cloud servers and is used by Palo Alto
Networks services to provide more accurate domain information (such
as provider ASN, hosting information, and geolocation identification).
While this supplemental data is not necessary to operate the DNS
Security service, it provides the resources to generate improved
analytics, DNS detection, and prevention capabilities. This action
occurs in less than 30 seconds after collection and batching does
not impact firewall performance. In cases where the firewall is
experiencing a high load, DNS data collection scales down as needed
to maintain expected performance levels.
The firewall can submit the following data fields:
Field
Description
Action
Displays the policy action taken on the
DNS query.
Type
Displays the DNS record type.
Response
The IP address that the domain in the DNS
query got resolved to.
Response Code
The DNS response code that was received
as an answer to your DNS query.
Source IP
The IP address of the system that made the
DNS request.
Source User
When the firewall User-ID feature is enabled,
the identity of the DNS requester is shown.
Source Zone
The configured source zone referenced in
your security policy rule.
DNS expanded data collection is bypassed for domains added
to the Allow list in DNS Exceptions.
Data fields that can be used to potentially identify users (Source
IP, Source User, and Source Zone) can be withheld from automatic
submission using the following CLI command: set deviceconfig setting ctd cloud-dns-privacy-mask yes.
You must commit the changes for the update
to take effect.