This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Programmatic DNS Security: How to Automate Advanced DNS Security Resolver (ADNSR) Configuration via REST APIs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
5 min read

Programmatic DNS Security: How to Automate Advanced DNS Security Resolver (ADNSR) Configuration via REST APIs

hshah1
L1 Bithead
‎06-16-2026 10:28 PM

As modern enterprises evolve into highly distributed network environments, securing the DNS layer across hundreds of branches, campuses, and data centers has transitioned from a best practice to a critical requirement. Palo Alto Networks Advanced DNS Security Resolver (ADNSR)—powered by Precision AI—provides robust, cloud-delivered defense against advanced threats like C2 channels, DNS tunneling, and malicious software hosting domains right at the DNS layer.

 

However, as your footprint scales, configuring and updating the connection source IP addresses and subnets for these branch sites manually inside a graphical user interface (GUI) can become a tedious, error-prone task, introducing severe operational bottlenecks. To solve this, the recent May 2026 release introduces programmatic configuration support via REST APIs for ADNSR.  Customers managing multiple distributed sites can seamlessly automate network configuration and resolver management pipelines, with full documentation readily accessible via the pan.dev portal. 

 

In this blog, we will explore the major advantages of transitioning to an API-driven DNS security architecture and provide a complete usability walk-through to help you integrate ADNSR workflows into your DevOps or NetSecOps automated pipelines.

 

Why Choose API-Driven Configurations? The Key Advantages

 

Relying purely on UI workflows creates gaps between security administration and infrastructure deployment. Embracing a programmatic approach with REST APIs unlocks several immediate business and technical benefits:

 

  • Unmatched Scale and Agility: Instead of onboarding new branch offices or cloud egress points one by one, network engineers can script the creation of DNS security connection sources.  Provisioning that previously took hours can now be drastically streamlined, reducing deployment time.
  • Infrastructure as Code (IaC) Alignment: Modern enterprise deployments thrive on consistency. By leveraging APIs, your ADNSR profiles, external dynamic lists (EDLs), and connection source definitions can be codified alongside the rest of your network policies via tools like Terraform or custom Ansible playbooks.
  • Elimination of Configuration Drift: Manual interventions open the door to human error—such as mismatched security profiles or mistyped IP addresses. Using automated API workflows helps ensure that every newly deployed environment remains consistent across your configuration.

 

Step-by-Step Usability Guide: Managing ADNSR via SCM APIs

 

Configuring your Advanced DNS Security Resolver programmatically is a clean, multi-step process that bridges your API client directly with the Strata Cloud Manager platform. Let's walk through the end-to-end usability flow for creating a Connection Source object.

 

Step 1: Secure Your Access (Authentication)

 

Before interacting with any ADNSR resources, your automated systems must establish identity and secure access. SCM mandates OAuth 2.0 authentication via service accounts.

 

 

  1. Create a Service Account: Navigate to your identity and access management panel to generate a dedicated service account with the appropriate administrative roles for Advanced DNS Security Resolver management.
  2. Generate your OAuth Token: Use the token endpoint to request a short-lived access token by passing your client credentials:

 

Once authenticated, use this token in the header of all subsequent config requests.

 

Step 2: Provision Your Connection Source Programmatically

 

Connection sources define the egress IP addresses from your network environments authorized to forward traffic to ADNSR. Using your favorite API client (such as Postman or a custom cURL script), you can provision these sources instantly.

 

Send a POST request to target the ADNSR connection sources configuration path:

 

  • HTTP Method: POST

 

 

Example JSON Request Body:

 

JSON

{
  "name": "cx-using-api",
  "profile_id": "1",
  "description": "Test-Profile"
}

 

The API Response: When the system successfully registers your input, the server returns a 201 Created status code along with a populated object payload reflecting its assigned metadata:

 

JSON

{
  "item": {
    "id": "1a022211-748a-44d5-8431-77f6dc1131ab",
    "name": "cx-using-api",
    "description": "Test-Profile",
    "type": "Custom",
    "profile_id": "1",
    "profile_name": "best-practice"
  }
}

 

Step 3: Immediate Synchronization and UI Verification

 

One of the core advantages of the SCM architecture is the immediate consistency between programmatic actions and human visibility.

 

As soon as the 201 Created payload is returned by the API server, your configuration is live inside the Strata Cloud Manager hub. If an administrator opens the Connection Sources UI matrix under the ADNS Resolver menu, the programmatically created entry (cx-using-api) automatically populates with its specified type (Custom), DNS Profile assignment (best-practice), and the given Description. From there, you are ready to bind the respective IPv4/IPv6 egress addresses and complete validation.

 

JayGolf_0-1781570971575.png

 

JayGolf_1-1781571017986.png

 

Takeaways and Next Steps

 

The addition of API capabilities to the Advanced DNS Security Resolver reflects the reality of modern security engineering: protection must move at the speed of software. By decoupling your DNS layer defense from manual adjustments, you scale threat intelligence effortlessly, safeguard dual-stack workloads, and enforce consistent control globally.

Using the APIs you can now programmatically automate and manage your entire DNS security posture across these core areas:

 

  • Profiles: Configure DNS Security threat protection categories and logging settings.
  • Connection Sources: Define the specific subnets and networks mapping to your resolver.
  • Custom FQDNs: Manage specialized handling for unique domain names.
  • EDL Definitions & CA Certificates: Integrate and manage external dynamic threat intelligence feeds.
  • Internal Domains: Set up local domains to completely bypass external DNS resolution.
  • Misconfigured Domains: Identify and track domains suffering from known configuration errors.
  • Resolver Info: Instantly pull details about resolver ips and DoH endpoint.

 

Ready to start building? Explore the exhaustive API documentation and release guidelines on our official developer platforms:

 

 

 

 

 

 

 

 

0 Likes Likes
  • 74 Views
  • 0 comments
  • 0 Likes
Labels
Contributors
Popular Blogs
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks