DNS Security does not work after configuration

• The DNS traffic is passing through a security policy with Anti-spyware configured.
• Anti-spyware DNS security is configured with an action block for malicious domains ( phishing, malware, C2, .. etc )
• when doing nslookup for a malicious site from the client machine to the DNS resolver, the query passes through without detection where it should
• Checking the global counters, no increase in ctd_dns counters. 
• Noticing only the below counters: 
  

  
  > show counter global | match ctd_dns
  
  ctd_dns_id_update           3 0  info ctd pktproc Number of DNS id update from MP
  ctd_dns_response_error 694894 0 error ctd pktproc Number of Error DNS response from MP

• Palo Alto Firewalls
• PAN-OS 10.1
• DNS Security

The config from the GUI for the antispyware profile is not applied. The running config does not reflect the configured profile.

1. Make a simple change related to the DNS security config on the Anti-Spyware profile.
2. Commit the config.
3. Revert the modified change (The change is just done to populate the DNS security config on the running config)
4. Commit the changes again.