I see two possibilities to do this:
@OtakarKlier thanks for you reply
As we observed some time users are access yahoo.com instead of this user will also get other response too like shopping site, advertising page etc.. so can we prevent the user to access only yahoo.com rather then add some other DNS query resolution . Please suggest
I think I am understanding now. If you go to a site like yahoo.com, that person will be seen as going to many different sites and categories. This is due to the nature of the destination site as the main site maybe 1 category, but since the site is dynamic and pulls in other sites to display content, you will see other things, i.e. advertising. So if you block advertising, you will start to see your block page appearing in little places where that particular dynamic content is getting pulled in from.
As you can see from the screen shot there is a blank spot on the right where an 'Ad' is supposed to be displayed. However we block them for several reasons.
Hope that makes sense
Just a little correction here: No, we do not want single IP in response of a domain resolution – a single response can have multiple IP addresses. What we want to achieve is, whenever a client requests DNS server for a DNS query Palo Alto should ensure it gets a single response. We basically want to prevent DDOS attacks that are initiated using DNS responses.
Thanks for that clarification. I would recommend following the Palo Alto best practice and configure a DoS protection policy along with the Zone Protection policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!