Hello all, I enabled DNS Sinhole on my palo and it is working fine. But now I'm interested in the DNS security license. Please help me understand some things? According to PA documentation since I have TP\\AV\\WF licenses, when a DNS query is made to a bad site the firewall will check its local DNS signatures which will hold a capacity of 100,000 signatures. So there's a chance that a bad query is not seen. However with the DNS seurity license, DNS signatures are stored in the cloud, it has an infinite amount of DNS signatures, and the DNS requests are real-time analysis and you get instant access to newly added DNS signatures, no need to wait for a download from your dynamic updates AV. My questions: 1. When I look at how to enable DNS security from their documentation, it looks exactly like how I have it now with only DNS sinkhole. So I guess I would just add the DNS security license and assume its working? 2. When a DNS query is made from a client on my network, by the time it does a live real-time lookup\\analysis, will the end user see any "lag" on their web request a timeout perhaps? 3. Will the DNS request use the local cache on the firewall (the 100,00 signatures), and if it doesn't find anything, it will then use the cloud, or it goes directly to the cloud? I wish Palo had more in depth documentation on how these things work\\flow, like a deeper dive. ​ Also, what are your thoughts on DNS security, have you found it to be useful?
... View more