DNS Security Documentation

DNS Security Summary Page

DNS Security Data Sheet

PAN-OS 11.2.1 released the ability for DNS Proxy on PAN-OS to act as a DoT/DoH server and also forward on DoT/DoH.

• Passive DNS
• URL Filtering
• WildFire
• Honeynet
• Cyber Threat Alliance
• Unit 42

• Response in <100 Milliseconds
• More than 30 third-party sources of threat intelligence to enrich data and ensure you have coverage
• Does not require change to DNS Infrastructure
• Cannot be bypassed by using other resolvers
• 40% more threat coverage than other leading vendors
• Stops newly registered domains 6x faster than publicaly avaialble scanners

New in mid 2025

• Detection of unknown C2 threats developed using the open source Sliver C2 framework (ATP)
• Enhanced Empire C2 deteciton
• Protection against DNS relaying attacks, also known as Data Exfiltration via HTTP request headers (ATP+ADNS)
• Domain Masquerading Detection, Malicious TDS Detection (ADNS)
• AI Categorization, Crypto Scam Detection, DeepFake Phishing Detection (AURL)
• Endpoint DLP

• Ad Tracking
• Command and Control
• Dynamic DNS Hosted
• Grayware
• Malware
• Newly Registered Domains (NRD)
• Parked
• Phishing
• Proxy Avoidance & Anonymizers

• Dangling DNS (PAN only)
• WildCard DNS (PAN only)
• NXNS Attack (PAN only)
• CNAME Cloaking
• Ultra-Slow DNS Tunneling
• Data Theft
• DNS Tunneling
• DNS Infiltration
• Compromised DNS Zone
• DNS Rebinding
• Strategically Aged Domains
• Domain Squating
• Domain Generation Algorithm (DGA)
• Dictionary DGA
• Fast Flux Domains
• DNS Rebinding Attacks
• Dangling SNA Attacks