How to add exception for only one DGA domain while blocking the DGA category [DNS Security]

How to add exception for only one DGA domain while blocking the DGA category [DNS Security]

Created On 04/15/20 19:33 PM - Last Updated 06/26/20 18:31 PM

All domains blocked by the DGA category have identical threat ID as 10900000; that means different domains are identified by the same threat ID. In such a situation if a domain is false positive it is hard to add an exception for that domain as domain doesn't have a unique threat ID. 
This article explains how to add the exception for one domain while still blocking all other domains under the DGA category. 


  • PAN-OS 9.0.x or higher
  • DNS security license 

There are two possible solutions. 


You can change the verdict to benign or whitelist the domain. This can be done from the Firewall CLI commands. 


  •  Suppose the domain '' is identified as DGA. in this case if a DNS query was made by any host behind the firewall will resolve into sinkhole address. 

> nslookup canonical name =

  • Firewall threat logs can be seen as follows.
   Threat logs for the Domain identified as spyware.  


  • Check the status of the domain verdict by the following command 

>show dns-proxy dns-signature cache | match
*                         C2          109000001   86327       0

  • Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your PaloAlto Firewall on the management plane. This entry will only be effective on your Firewall locally.

>debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number>
Example for
>debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn

  • You can confirm the domain is been changed to benign. The last number zero indicates the number of hit to this domain.   

> show dns-proxy dns-signature cache | match abc
*                         White list  420000700   30758373       0  

  • You can also confirm from data plane

> debug dataplane show dns-cache print | match abc, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700


  • Send a DNS query again on the same domain, and it will resolve to correct the IP address. 

> nslookup


Additional Information
Note: Prior to running any debug commands listed in the article, Go through this article which explains the risks involved.

  • Print
  • Copy Link