DNS license and PAN OS 9.0

L4 Transporter

DNS license and PAN OS 9.0


During Ignite we were told that DNS is coming as license service in PAN OS9.0.

Need to know is this service different from dns sinkhole?


IF it is how it is ?

Community Manager

Re: DNS license and PAN OS 9.0

It's an additional database for DNS sinkhole, but the original ThreatPrevention database is loaded each time a dynamic update is downloaded and installed and is static, while the new DNS Security Service works more like URL filtering as it looks up each DNS request and gets a match from the cloud https://docs.paloaltonetworks.com/dns-security

Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: DNS license and PAN OS 9.0

Thanks for the useful link.

Does it mean that on PAN OS 8.1 we have limited signatures when i check on antispyware it shows 7650?

On PAN OS 9.0  using DNS license how many we have in cloud any idea?


Currently if we are using application as DNS and service as app-default will this protect us with dns tunneling on PAN OS 8.1?



L5 Sessionator

Re: DNS license and PAN OS 9.0

DNS security doesn't use signatures on the device. It is a cloud service, every DNS query is sent to PA cloud to be checked.

To use it you need the license and PAN-OS 9.0. 


DNS with app default doesnt protect you from DNS tunneling because the DNS queries used for it are compatible with the protocol.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!