The steps provided were to show you that the DNS Sinkhole functionality was being actioned/"hit on". While I agree that these same sites are probably used in the Content Profile for URL Categorization, testing was done to provide confirmation that DNS sinkhole was working. I enabled the Spyware profile to use the licensed DNS security feature. But, instead of using the default sinkhole.paloaltonetworks.com FQDN, I used a bogus 9.9.9.9 as my sinkhole. Then I tested the 4 sites. My traffic was blocked, not because of the URL. In looking at the threat logs, I see the action of sinkhole against the IP of my device. For confirmation, I filtered on the Traffic log, and saw 4 hits on a destination IP of 9.9.9.9, which were not there, prior to my testing. Therefore, the DNS Security feature, along with sinkholing to a different IP, shows/provides me confidence that the DNS security feature worked, before the URL filtering profile (which may well have those 4 sites listed), but Spyware profile is what was triggered. Thank you.
... View more