Palo Alto Networks Knowledgebase: DotW: DNS as a Top Application

DotW: DNS as a Top Application

Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM




User 'jharlow' had a question about DNS showing up as a top application with web-browsing being second. In a one hour period, he was observing 27,700 DNS and 24,100 web-browsing sessions. He was thinking that they

had their own internal DNS server and wondered why he was getting so many sessions showing up?

60026_dotw 2015-06-22 DNS top applications.png


The reason that this happens is because web pages are more complex today. In today's world, web pages can contain many parts, as shown below:

  • Images hosted on other domains/sites
  • Social Media plugins like Facebook and Twitter to share and like items
  • Website Advertising
  • External links for content distribution
  • Website analytics

Every one of these parts not only perform a DNS lookup, but can pull content from those other domains/sites, generating a huge amount of traffic for a small number of legitimate website visits.


In my experience, when DNS traffic is so active on your network, you are going to end up with DNS as the most active application talking through your firewall. In almost every case, it is fine creating a separate outbound rule for DNS traffic using its default port (application-default) and turning off logging for that rule. To remain protected, I recommend that you enable a security profile to catch any malicious traffic, viruses and so forth.


To view the discussion, please visit the following link:

DNS top applications?


As always, I welcome any comments or suggestions for, so please comment below!


Thanks for reading.

Joe Delio

  • Print
  • Copy Link

Choose Language