DNS Security action is 'Alert' when it should be "Sinkhole" or "Block"

• All PAN-OS 
• DNS Security enabled

When DNS-Security is enabled, as a design if firewall encounters a domain that is not in its local cache, it requests for the verdict for that domain from the DNS Security Cloud. The firewall will also set a time ( timeout ) till it is going to wait from cloud to receive the verdict from cloud.

If the domain verdict is returned within the timeout period then dns configured action (sinkhole or block) is applied to the traffic. Also the domain verdict is saved in firewall local cache for a configured period.

If the domain verdict is NOT returned within the timeout period, it can happen due to network or internet connection etc, then firewall doesn't have a verdict to apply to the traffic. When this happens, firewall doesn't take the configured action, i.e.sinkhole, and just it generates log with an action "Alert" in the threat log. And when the verdict returns, it will cache it for the future traffic. Sinkhole action is applied for subsequent DNS requests for the same domain as long as the entry is in the firewall's cache. Firewall will request DNS signature from the cloud for the same domain once entry in cache expires.

dns timer can be tuned based on the connectivity (default timeout is 100ms).

1.) Using CLI

# set deviceconfig setting ctd cloud-dns-timeout <>

2.) Using the GUI 

Device --> Setup --> Content-ID --> Realtime Signature Lookup

Unable To Fetch External Dynamic Lists (EDL) Due To A Timeout Or Connection Error