Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.
The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met:
DNS response bit is set
DNS truncated bit is not set
DNS recursive bit is not set
DNS response code is 0 or 3 (NX)
DNS question count bigger than 0
DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX)
DNS query record type are "A,NS,CNAME, AAAA, MX"
To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:
To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry