How to Check DNS Security Lookup Cache from CLI

How to Check DNS Security Lookup Cache from CLI

59529
Created On 03/27/19 02:42 AM - Last Modified 10/21/21 20:23 PM


Objective


Find the verdict for domain name lookups performed by DNS Security service.

Environment


  • Palo Alto Firewall.
  • PAN-OS 9.0 and above.

Procedure


Step 1: Check the complete output of real-time DNS Lookup using the command below:
(Check the "verdict" sections to find the verdict of the lookup.) 
admin@PA-VM> debug dataplane show dns-cache print
 
microsoft.com, wildcard: yes, ttl: 85615/172891/27197, temp: 0, verdict benign, utid: 0
bing.com, wildcard: yes, ttl: 86392/172890/27196, temp: 0, verdict benign, utid: 0
<name removed>.com, wildcard: no, ttl: 300/4432/254, temp: 0, verdict C2, utid: 25692746


Step 2: Get specific domain lookup details using the command below: 
admin@PA-VM> debug dataplane show dns-cache print | match bing

bing.com, wildcard: yes, ttl: 86392/172890/27138, temp: 0, verdict benign, utid: 0

 

Additional Information


DNS Security is a licensed feature introduced in PAN-OS 9.0.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSACAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language