This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Extending Advanced DNS Security Resolver to Prisma Access Agent

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
6 min read

Extending Advanced DNS Security Resolver to Prisma Access Agent

gpokuri
L3 Networker
‎12-16-2025 06:22 PM

The Domain Name System is the backbone of internet communication, yet it remains one of the most frequently targeted vectors. Palo Alto Networks Unit 42 ® found that 85% of malware leverages DNS to establish command-and-control (C2) communication, alongside other tactics such as phishing, ransomware delivery, and data exfiltration. While organizations may have fortified their perimeters, the modern distributed workforce creates a persistent "last mile" challenge: the mobile user.

 

Mobile users may need to disconnect their Secure Access Service Edge (SASE) agent to bypass captive portals, circumvent site restrictions, or resolve underlying network connectivity issues. In such cases, the user's device silently reverts DNS traffic to an unmonitored local ISP resolver. This creates a significant visibility gap. Traditional resolvers were built to answer queries quickly, not to secure them; they lack the inline inspection required to detect threats. Consequently, when a user disconnects, they step into a blind spot where sophisticated threats such as DNS tunneling, command-and-control (C2), and DNS hijacking can operate unnoticed. Historically, security teams have had to balance the risk of invisible threats against the need for mobile productivity. We have engineered a modern solution that delivers both.

 

We are excited to announce support for Advanced DNS Security Resolver (ADNSR) in the Prisma Access Agent. This integration ensures that your DNS security travels with the device, even when the agent tunnel is disconnected, thereby closing one of the most persistent visibility gaps in the modern enterprise. This new capability ensures that enterprise-grade, Precision AI™-powered Advanced DNS protection follows your users, regardless of their connection status.

 

The Solution: Always-On DNS Security 

 

The concept is simple but powerful: Security is engineered to be persistent, ensuring policy enforcement follows the user wherever they go. When you enable ADNS, the Prisma Access Agent effectively becomes an intelligent DNS guardian. When a full network tunnel is unavailable or disabled, the agent automatically adapts, intercepting DNS queries and forwarding them to Palo Alto Networks ADNS Anycast resolvers over an encrypted DNS-over-HTTPS (DOH) connection.

This ensures that "baseline security protections remain in place regardless of connection status." ADNS Security Resolver applies your configured security rules, including blocking malicious domains and sinkholing C2 traffic, and applying content categorization to uphold acceptable use policies even when users are off the network. Ultimately, your users get the direct-to-internet performance they need, and you get the visibility and control your security posture demands.

 

Technical Deep Dive: How It Works

 

The implementation relies on three sophisticated mechanisms to ensure resilience without breaking user workflows:

 

  • Intelligent Fallback & Forwarding Profiles: The system uses Forwarding Profiles to manage connectivity logic. You can configure a "Best Available" model where the agent prioritizes the VPN tunnel but seamlessly fails over to ADNS if the tunnel drops. This capability ensures security remains active, even during the "last mile" connectivity challenges common to mobile work.
  • Preserving Local Connectivity (Handling Exclusions): A significant risk with cloud-based DNS is breaking local resources. If a user is at a hotel or home office, they still need to resolve local domains, like captive portals (login.wifi) or local printers, which the cloud resolver cannot see. We solve this with Destination Exclusions. You can define specific domains (e.g., *.local, *.internal, or captive portal domains) that bypass ADNS and route to the endpoint's local resolver. This ensures users can still access local network resources without compromising the security of their external internet traffic.
  • Secure, Token-Based Authentication: To secure the communication between the agent and our resolver, we utilize Authentication Tokens. The system supports device tokens that remain valid for up to 6 months, ensuring the device remains authenticated and protected even if the user isn't actively logged into the agent interface.

 

Revolutionary Capabilities Driven by Precision AI™

 

This solution moves beyond simple routing to deliver real-time, inline security encompassing both DNS Request and Response inspection. The Prisma Access Agent connects your endpoints directly to the powerful Precision AI™ technology that drives our Advanced DNS Security capabilities.

This technology prevents 2.06B DNS threats every single day. By extending this inspection to the endpoint, you are effectively preventing "patient zero" scenarios. You can block malicious traffic distribution systems, DNS Hijacking, domain generation algorithms (DGAs), stop ultra-slow DNS tunneling, and prevent C2 callbacks before a malicious connection is ever established.

 

Product Capabilities

 

  • Unified DNS Protection: Consistent DNS inspection and enforcement across all environments, including campus, branch, data center, remote users, and IoT devices.
  • Full Path DNS Inspection and Inline Enforcement: Analyze DNS requests and responses in real time to block malicious activity before resolution and surface issues such as DNS misconfigurations that create hidden risk.
  • Precision AI Driven Detection: Leverage Precision AI and rich global telemetry to identify zero-day domains and evasive behaviors, including tunneling, command and control activity, DGAs, fast flux, and domain shadowing.
  • ​​Content Categorization Intelligence: Classify domains accurately using global threat intelligence and ML to prevent access to risky, malicious, or newly registered domains before users ever reach them.
  • Unified Management and Operations: Centrally manage policies, configurations, and DNS security operations through Strata Cloud Manager for all users, apps, and devices.
  • Multiple Enforcement Points for DNS Security: Enforce DNS security consistently across hardware firewalls, software firewalls, cloud NGFW, SASE, and resolver-based deployments.
  • Deep Cross Platform Correlation: Integrate DNS telemetry with firewall, endpoint, and cloud signals for a complete view of multi-vector attack chains.
  • Shared Intelligence and Behavioral Analysis: Leverage global threat intelligence and behavioral analytics to expose emerging risks beyond static lists.

 

Key Benefits

 

  • Consistent Security Everywhere: Extend enterprise-grade DNS protection to users working at customer sites, hotels, or home offices, ensuring they have the same level of security off-network as they do on-network.
  • Reduce Data Exfiltration Risk: Detect and block DNS tunneling, command-and-control activity, and covert channels.
  • Close the Visibility Gap: Eliminate the blind spots created when users disconnect their VPNs. You gain essential telemetry for threat hunting, seeing exactly which user initiated a malicious query, even when the user disconnects the tunnel.
  • Simplified Operations: Management is centralized in Strata Cloud Manager. You can define your Prisma Access Agent configurations and DNS security profiles in a single interface, ensuring uniform policy enforcement.
  • Fast and Seamless End User Experience: Benefit from a globally distributed architecture optimized for low latency and high performance.

 

The extension of Advanced DNS Resolver to Prisma Access Agent represents a pivotal step in securing the hybrid workforce. It empowers organizations to maintain a robust security posture without hindering user productivity or connectivity.

 

Get Started with Always-On DNS Protection for Mobile Users

 

Extend Advanced DNS Security Resolver protection to Prisma Access Agent users in just a few simple steps. Centrally manage policies in Strata Cloud Manager to ensure DNS-layer security remains active even when users disconnect from the tunnel, closing last-mile visibility gaps without impacting productivity.

Get started today:

  • Configure: Log in to Strata Cloud Manager and set up Forwarding Profiles to include ADNS connectivity.
  • Define: Create destination exclusions for internal domains to ensure seamless access to local resources.
  • Deploy: Push the updated configuration to mobile users to activate protection immediately.

For a detailed configuration guide, please refer to the Technical Documentation.

 

 

0 Likes Likes
  • 92 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Contributors
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks