DNS Security is a continuously evolving threat prevention cloud service that is designed
to protect and defend your network from advanced DNS-based threats. By applying advanced
machine learning and predictive analytics to a diverse range of threat intelligence
sources, DNS Security rapidly generates enhanced DNS signatures to defend against known
malicious DNS categories, as well as real-time analysis of DNS requests to defend your
network against newly generated and unknown malicious domains. DNS Security can detect
various C2 threats, including DNS tunneling, DNS rebinding attacks, domains created
using auto-generation, malware hosts, and many more. DNS Security requires and works
with your Advanced Threat Prevention or Threat Prevention subscription for complete DNS
threat coverage. Combined with an extensible cloud architecture, DNS Security provides
access to a scalable threat intelligence system to keep your network protections up to
date.
Before you can enable and configure DNS Security, you must obtain and install a Threat
Prevention (or Advanced Threat Prevention) license as well as a DNS Security license in
addition to any platform licenses from where it is operated. Licenses are activated from
the
Palo Alto Networks Customer Support Portal and must be active before DNS
analysis can take place. Additionally, DNS Security (similar to other Palo Alto Networks
security services) is administered through security profiles, which in turn is dependent
on the configuration of network enforcement policies as defined through security rules.
Before enabling DNS Security, it is recommended that you familiarize yourself core
components of the security platform in which the security subscriptions are enabled.
Refer to your
product documentation for more information.
To enable DNS Security, you must create (or modify) an Anti-Spyware security profile to
access the DNS Security service, configure the log severity and policy settings for the
DNS signature category (or categories), and then attach the profile to a security policy
rule.