No, you need to whitelist the domain in the DNS Security local cache.
If you ran PAN-OS 10.0 you can configure domain exceptions in the Anti-Spyware profile, but for 9.0 and 9.1 the exception is global and you need to configure it from the CLI.
I added instructions in this post https://live.paloaltonetworks.com/t5/general-topics/disney-domain-being-sinkholed-as-dns-tunneling-domain/m-p/325813
It would be best to investigate why your internal domain is considered malicious though. It could be an FP and could be whitelisted in the cloud.
You can try to see if the domain is listed as a malicious URL Category in https://urlfiltering.paloaltonetworks.com/query/ and if it is, request a category change to an otherwise benign category. That will propagate a signal from PAN-DB to DNS Security to also whitelist the domain.
... View more
