New DNS Security Category: AdTracking

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker



As part of PAN-OS 10.0 release, Palo Alto Networks will be adding a new DNS Security category called AdTracking and its subcategory adtracking_cname_cloaking. 


ACTION: Action may be required. Please consider impact in alignment with organization policies.


What is AdTracking?


AdTracking is a new category created for CNAME cloaking techniques introduced as part of DNS security service. CNAME cloaking allows website trackers to hide the origin of a script or cookie using CNAME records. This allows the tracker to receive and set cookies in the first-party context, circumventing protection the browser might have against third-party tracking. Attackers can leverage this technique to steal sensitive user information. Our new detection engine can detect cloaked FQDN and add it as part of the AdTracking category for security administrators to take appropriate action. 


When will the AdTracking category be available in DNS Security?

This category will be available as part of a content-update in the  PAN-OS 10.0 release. It will go live through the content update released the week of June 20th, 2022. The default policy action will be set to "Allow" and default log severity will be "Informational" under the anti-spyware profile. Administrators can choose policy actions associated with this category — including Block, Allow or Sinkhole. Palo Alto Networks best practices recommendation is to Sinkhole. 


On 9.0 and 9.1 releases, AdTracking category support is not available and DNS requests to this category will be allowed. For categories supported in those PAN-OS releases, please refer to the following documentation on DNS Security.


Are there test domains for the new category?



Additional Information:

DNS Security Signature Categories


  • 325 Subscriptions
Register or Sign-in