Who Me Too'd this topic

In reading up on DNS Security I found that URL's provided for testing in the following document, Enabling DNS Security, do not accurately ensure DNS Security feature license is installed and configured. A very accurate indicator of this is that all of those URL's are adequately blocked on a firewall running PAN-OS 8.1.x due to the PAN-DB URL filtering policies most companies would have enabled.

Here is the suggested testing method from the above URL:

• Test that the policy action is enforced.
  1. Access the following test domains to verify that the policy action for a given threat type is being enforced:
     • Malware—test-malware.testpanw.com
     • C2—test-c2.testpanw.com
     • DGA—test-dga.testpanw.com
     • DNS Tunneling—test-dnstun.testpanw.com

So this leads me to the questions...

1. How DO you accurately test that DNS Security is blocking DGA, DNS Tunneling, etc.?
2. Can the Administrator Guide please be updated to accurately describe the process ensuring proper enablement of the DNS Security advanced feature?

BTW, @PANW - Why is the Oilrig signature default action "alert" instead of blocking it? Using a strict profile is pretty essential.

If you have a successful test plan for DNS Security implementation please comment.

Thanks!