topic EDL Dynamic Domain list that is allowed in Anti-spyware profile&gt; DNS Polices is getting sinkholed in Advanced Threat Prevention Discussions https://live.paloaltonetworks.com/t5/advanced-threat-prevention/edl-dynamic-domain-list-that-is-allowed-in-anti-spyware-profile/m-p/573646#M2079 <P>We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.</P> <P>We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile &gt; DNS Policies &gt; for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.</P> <P>Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor &gt; Threats that these domains are blocked by the Blocked EDL.</P> <P>We have been working with the TAC since yesterday, and it seems no luck on that.</P> <P>Thank you</P> <P>&nbsp;</P> Fri, 19 Jan 2024 15:17:23 GMT Dereje 2024-01-19T15:17:23Z EDL Dynamic Domain list that is allowed in Anti-spyware profile> DNS Polices is getting sinkholed https://live.paloaltonetworks.com/t5/advanced-threat-prevention/edl-dynamic-domain-list-that-is-allowed-in-anti-spyware-profile/m-p/573646#M2079 <P>We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.</P> <P>We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile &gt; DNS Policies &gt; for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.</P> <P>Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor &gt; Threats that these domains are blocked by the Blocked EDL.</P> <P>We have been working with the TAC since yesterday, and it seems no luck on that.</P> <P>Thank you</P> <P>&nbsp;</P> Fri, 19 Jan 2024 15:17:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/edl-dynamic-domain-list-that-is-allowed-in-anti-spyware-profile/m-p/573646#M2079 Dereje 2024-01-19T15:17:23Z Re: EDL Dynamic Domain list that is allowed in Anti-spyware profile> DNS Polices is getting sinkholed https://live.paloaltonetworks.com/t5/advanced-threat-prevention/edl-dynamic-domain-list-that-is-allowed-in-anti-spyware-profile/m-p/578138#M2101 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18576">@Dereje</a><A href="https://ballsportsgear.com/" target="_self">BallSportsGear</A><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18576">@Dereje</a>&nbsp;wrote:<BR /> <P>We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.</P> <P>We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile &gt; DNS Policies &gt; for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.</P> <P>Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor &gt; Threats that these domains are blocked by the Blocked EDL.</P> <P>We have been working with the TAC since yesterday, and it seems no luck on that.</P> <P>Thank you</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Hello,</P> <P>&nbsp;</P> <P>It seems that you are experiencing a known issue with the DNS Security feature in PAN-OS 10.1.11-h4. According to the Palo Alto Networks Knowledge Base, there is a bug that causes the DNS Security to incorrectly sinkhole domains that are in the allow list of the DNS policy. This bug affects the VM-Series firewalls that are configured as DNS proxies and use external dynamic lists (EDLs) of type domain in the DNS policy.</P> <P>&nbsp;</P> <P>The workaround for this issue is downgrade the PAN - OS version 10.1,10 or earlier or to upgrade to&nbsp;10.1.12 or later, which have fixed this bug. Alternatively, you can disable the DNS Security feature on the VM-Series firewalls until you can upgrade or downgrade the PAN-OS version.</P> <P>&nbsp;</P> <P>I hope this helps to understand and resolve the issue.&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P><SPAN data-sheets-root="1" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;Nicholas185Smith&quot;}" data-sheets-userformat="{&quot;2&quot;:817,&quot;3&quot;:{&quot;1&quot;:0},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:2}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:2}]},&quot;11&quot;:3,&quot;12&quot;:0}">Nicholas185Smith</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 28 Feb 2024 03:43:32 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/edl-dynamic-domain-list-that-is-allowed-in-anti-spyware-profile/m-p/578138#M2101 Nicholas185Smith 2024-02-28T03:43:32Z