https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/273456#M75038 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;</P> <P>If a DNS query is sinkholed by ThreatPrevention, it will not need to be looked up by DNS Security.&nbsp;</P> <P>DNS Security does cloud lookups for every query it sees (unless the result is already cached) pretty much in the same way URL Filtering works. It is applied in the DNS Signatures&nbsp; section of the AntiSpyware profile, there is no local database, rather a cache is used and cloud lookups are done through the management interface (or a service route)</P> Thu, 27 Jun 2019 10:02:59 GMT reaper 2019-06-27T10:02:59Z https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/272380#M74908 <P>&nbsp;</P><P>With PAN OS 9.0 Does PA do cloud clookup for everydomain&nbsp;</P><P>or&nbsp;</P><P>&nbsp;</P><P>only for domains which are not in DNS sinkhole of Antispyware profile?</P><P>&nbsp;</P><P>I was told DNS security is a&nbsp; part of PAN DB&nbsp; so when clouds verdict is that particular domain is&nbsp; bad hows does this info come to PA in real time?</P><P>&nbsp;</P><P>I know it comes via Management interface but which security profile or database it uses to update the PA?</P><P>&nbsp;</P> Sat, 22 Jun 2019 02:19:23 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/272380#M74908 MP18 2019-06-22T02:19:23Z https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/273456#M75038 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;</P> <P>If a DNS query is sinkholed by ThreatPrevention, it will not need to be looked up by DNS Security.&nbsp;</P> <P>DNS Security does cloud lookups for every query it sees (unless the result is already cached) pretty much in the same way URL Filtering works. It is applied in the DNS Signatures&nbsp; section of the AntiSpyware profile, there is no local database, rather a cache is used and cloud lookups are done through the management interface (or a service route)</P> Thu, 27 Jun 2019 10:02:59 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/273456#M75038 reaper 2019-06-27T10:02:59Z https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284433#M76300 <P>Many thanks Reaper.</P> Wed, 21 Aug 2019 19:25:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284433#M76300 MP18 2019-08-21T19:25:15Z https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284460#M76303 <P>Ok, maybe I need to seek clarification.</P><P>&nbsp;</P><P>From the education training courses, it is understood/taught that DNS Security is used in the sinkhole function of the Spyware profile.</P><P>I am confused if anyone says DNS Security is sinkholed by Threat Prevention.</P><P>It is actually (in my mind) that the DNS Security license is using being used in sinkhole functionality, for the purpose of Threat Prevention.&nbsp;</P><P>&nbsp;</P><P>I also believe that PANW asks customer to enable the Passive DNS Monitoring under Telemetry to find new unsual DNS queries to be sent to WF, to be confirmed that the DNS query is a fast flux domain, and then it pushed down or updated the Malware or Command and Control URL categories in the PAN-DB.</P><P>&nbsp;</P><P>Comments accepted.&nbsp; <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Wed, 21 Aug 2019 21:01:08 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284460#M76303 S.Cantwell 2019-08-21T21:01:08Z https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284464#M76305 In the spyware profile there are 2 sinkhole profiles, -one for threat prevention, which is updated through dynamic updates and is basically a list of bad dns queries, -the second uses dynamic lookups through the dns security service They both perform the same function but through different source mechanics Your passive dns comment is correct Wed, 21 Aug 2019 21:23:03 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-security-and-cloud-lookup/m-p/284464#M76305 reaper 2019-08-21T21:23:03Z