This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Precision and Scale: Enhancing Control with Custom FQDN Lists and Automatic EDL Subdomain Expansion

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
4 min read

Precision and Scale: Enhancing Control with Custom FQDN Lists and Automatic EDL Subdomain Expansion

JayGolf
Community Team Member
‎01-23-2026 10:53 AM

Strata Graphics (1).jpg

 

This blog was written by Gokul Pokuri, Sr. Tehcnical Marketing Engineer

 

How Advanced DNS Security Resolver delivers precise control without added complexity

 

In the world of distributed enterprise security, speed and precision are not just metrics, they are survival traits. While global threat intelligence feeds are essential for stopping known malicious domains, the reality for a Net Ops or Security teams is often more nuanced. You are dealing with unique organizational compliance needs, internal policy violations, and attackers who rapidly shift infrastructure to evade detection.

 

We designed the Advanced DNS Security Resolver (ADNSR) to unify DNS security across your distributed environment. Today, we are introducing two significant enhancements designed to close security gaps and reduce operational friction: Custom FQDN List Support and Automatic Subdomain Expansion for External Dynamic Lists (EDLs).

 

The Challenge: Manual Friction in Modern DNS Security

 

Historically, managing domain-specific policies meant:

 

  • Restricted Actions: Administrators were often limited to "allow-only" overrides for custom domains within specific profiles.
  • Manual Redundancy: Replicating Fully Qualified Domain Names (FQDNs) across multiple security profiles required tedious, error-prone manual re-entry.

 

Precision Control: Custom FQDN Lists for ADNSR

 

The new Custom FQDN List Support breaks the dependency between domain lists and specific DNS Security profiles. Users can now manage FQDN lists as global objects and then add to security profile and define explicit enforcement actions Allow, Block, Alert, or Sinkhole.

 

To populate these lists, the workflow is designed for both speed and scale: You can either manually + Add individual FQDNs to the list or use the Import List function to upload an existing bulk list of FQDNs via a text (.txt) file.

 

Key Benefits:

 

  • Granular policy enforcement: Move beyond simple "allow" overrides. Ensure strict adherence to unique organizational compliance lists by defining explicit "Block", or "Alert" actions for non-compliant domains.
  • Operational Efficiency: Define a list once and reference it across multiple profiles, eliminating the need for manual replication and configuration errors.
  • Decoupled Management: Manage your unique threat and compliance posture independently of standard threat feeds.

 

By defining these custom FQDN lists, you strengthen your first line of defense against sophisticated, DNS-based attacks while simplifying your policy management.

 

Sample Configuration:

 

On SCM, Select Manage > Configuration > ADNS Resolver > DNS Security Profiles and then go to the Custom FQDN List tab.

 

JayGolf_0-1769192333079.png

 

JayGolf_0-1769193255466.png

 

JayGolf_1-1769193301084.png

 

Eliminating gaps at scale: Enhanced EDL Subdomain Expansion

 

The Automatic EDL Subdomain Expansion feature allows ADNSR to treat a standard domain entry (e.g., example.com) also as an implicit wildcard (*.example.com).

 

Key Benefits:

 

  • Seamless Coverage: The system generates an implicit wildcard entry for each domain you add. This ensures your security policies apply consistently across the entire domain hierarchy without requiring manual wildcard definitions.
  • Reduced Risk: By eliminating the need for manual subdomain entry, you mitigate the risk of "shadow subdomains" bypassing your security filters.

 

Enabling this feature drastically simplifies EDL domain management, ensuring that when you decide to block a threat, you are blocking all the subdomains, not just the single domain.

 

Sample Configuration:

 

On SCM, Select Manage > Configuration > ADNS Resolver > DNS Security Profiles and then go to the External Dynamic Lists tab.

 

JayGolf_0-1769193704653.png

 

JayGolf_1-1769193830708.png

 

Conclusion: Streamlining Your Defense

 

Complexity is the enemy of security. These enhancements for ADNSR are designed to eliminate that complexity, allowing for granular policy enforcement and broader coverage that ultimately reduces risk. Whether you are integrating a new acquisition or securing a global branch rollout, these tools ensure your DNS defense remains precise, consistent, and resilient. 

By combining the precision of Custom FQDN Lists with the broad coverage of Automatic Subdomain Expansion, teams can close coverage gaps and meet compliance requirements faster, all while driving down human error and operational overhead.

 

Looking to simplify DNS security and extend protection across your entire environment? Contact your Palo Alto Networks representative or visit our Advanced DNS Security page to get started.

 

For a detailed configuration guide, please refer to the Technical Documentation.

0 Likes Likes
  • 2249 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Contributors
Popular Blogs
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks