https://live.paloaltonetworks.com/t5/advanced-threat-prevention/unable-to-resolve-internal-url-s-after-implementing-dns-security/m-p/349956#M940 <P>No, you need to whitelist the domain in the DNS Security local cache.</P> <P>&nbsp;</P> <P>If you ran PAN-OS 10.0 you can configure domain exceptions in the Anti-Spyware profile, but for 9.0 and 9.1 the exception is global and you need to configure it from the CLI.</P> <P>&nbsp;</P> <P>I added instructions in this post&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-topics/disney-domain-being-sinkholed-as-dns-tunneling-domain/m-p/325813" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/disney-domain-being-sinkholed-as-dns-tunneling-domain/m-p/325813</A></P> <P>&nbsp;</P> <P>It would be best to investigate why your internal domain is considered malicious though. It could be an FP and could be whitelisted in the cloud.</P> <P>You can try to see if the domain is listed as a malicious URL Category in&nbsp;<A href="https://urlfiltering.paloaltonetworks.com/query/" target="_blank">https://urlfiltering.paloaltonetworks.com/query/</A>&nbsp;and if it is, request a category change to an otherwise benign category. That will propagate a signal from PAN-DB to DNS Security to also whitelist the domain.</P> Wed, 16 Sep 2020 21:52:40 GMT mivaldi 2020-09-16T21:52:40Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/unable-to-resolve-internal-url-s-after-implementing-dns-security/m-p/346047#M930 <P>I only would like to know if we add<SPAN>&nbsp;</SPAN><STRONG>*.domain.in</STRONG><SPAN>&nbsp;</SPAN>in External dynamic list and if we call that EDL in Antispyware profile with action Alert, then EDL will take preference with alert action and exclude it or DNS security will take preference with sinkhole action.</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Dns security.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27558iD8F5C2DCC5E71A2E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Dns security.PNG" alt="Dns security.PNG" /></span></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P> Mon, 31 Aug 2020 10:15:24 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/unable-to-resolve-internal-url-s-after-implementing-dns-security/m-p/346047#M930 OsamaKhan 2020-08-31T10:15:24Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/unable-to-resolve-internal-url-s-after-implementing-dns-security/m-p/349956#M940 <P>No, you need to whitelist the domain in the DNS Security local cache.</P> <P>&nbsp;</P> <P>If you ran PAN-OS 10.0 you can configure domain exceptions in the Anti-Spyware profile, but for 9.0 and 9.1 the exception is global and you need to configure it from the CLI.</P> <P>&nbsp;</P> <P>I added instructions in this post&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-topics/disney-domain-being-sinkholed-as-dns-tunneling-domain/m-p/325813" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/disney-domain-being-sinkholed-as-dns-tunneling-domain/m-p/325813</A></P> <P>&nbsp;</P> <P>It would be best to investigate why your internal domain is considered malicious though. It could be an FP and could be whitelisted in the cloud.</P> <P>You can try to see if the domain is listed as a malicious URL Category in&nbsp;<A href="https://urlfiltering.paloaltonetworks.com/query/" target="_blank">https://urlfiltering.paloaltonetworks.com/query/</A>&nbsp;and if it is, request a category change to an otherwise benign category. That will propagate a signal from PAN-DB to DNS Security to also whitelist the domain.</P> Wed, 16 Sep 2020 21:52:40 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/unable-to-resolve-internal-url-s-after-implementing-dns-security/m-p/349956#M940 mivaldi 2020-09-16T21:52:40Z