We have a Palo Alto firewall in our data center and we use this product for DNS filtering. With respect to the DNS, everything is being processed.
Senior Network Specialist at Al Ghurair Investments
Good DNS filtering, scalable, and highly-integrated
Pros and Cons
- "The most valuable feature is DNS filtering."
- "We would like to have cloud-based management."
What is our primary use case?
How has it helped my organization?
This product is used in our organization to prevent all of the potential threats that we expect from the internet. It includes everything that can reach the end-user from the internet.
It handles everything that is DNS-related that originates from an untrusted zone.
This is beneficial for us because we are in the process of migrating everything from on-premises to the cloud. We have already migrated our email and OneDrive. Will hopefully be on Office 365 soon.
As far as I'm concerned, the DNS duties should be on the cloud as well.
What is most valuable?
The most valuable feature is DNS filtering.
This is a highly-integrated system tool.
What needs improvement?
We would like to have cloud-based management.
I would like to see integration with Cisco Meraki so that they can work together on DNS issues.
Buyer's Guide
Palo Alto Networks DNS Security
November 2024
Learn what your peers think about Palo Alto Networks DNS Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
For how long have I used the solution?
We have been using Palo Alto Networks DNS Security for between six and seven years.
What do I think about the stability of the solution?
This product has been doing well and we have no complaints about stability.
What do I think about the scalability of the solution?
This is a scalable solution. We have about 1,200 users.
What about the implementation team?
We have two people who are in charge of security and work with this product.
What other advice do I have?
For us, this is the best product that we have used. Nonetheless, I will recommend it only once they have integration with Cisco Meraki so that the two technologies can work together.
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Engineer at Exclusive Networks
Offers good features like data exfiltration and DNS tunneling
Pros and Cons
- "The solution's most valuable features are data exfiltration and DNS tunneling."
- "If the tool offers improved data security, I think it would be good."
What is our primary use case?
I use the solution in my company to protect our enterprise network. I use the tool for data exfiltration.
What is most valuable?
The solution's most valuable features are data exfiltration and DNS tunneling. The tool's features have helped the enterprise in the area of data exfiltration. On the business side, the tool helps enterprises prevent breaches.
What needs improvement?
If the tool offers improved data security, I think it would be good.
If some of our company's partners or customers want to distinguish the license between Palo Alto Networks DNS Security and Palo Alto Networks Advanced Threat Prevention, it should be made possible. Some people had asked me how they could distinguish between Palo Alto Networks DNS Security and Palo Alto Networks Advanced Threat Prevention if they bought both. With Palo Alto Networks DNS Security, there are no menus like in the case of Palo Alto Networks Advanced Threat Prevention. We configured Palo Alto Networks DNS Security in Palo Alto Networks Advanced Threat Prevention, and that is why our customers ask us how to check the features of the tools in the GUI. Palo Alto Networks DNS Security has a set of features that are different from Palo Alto Networks Advanced Threat Prevention, and so our customers want to be able to distinguish between the licenses of both solutions.
For how long have I used the solution?
I have been using Palo Alto Networks DNS Security for two years. I am a customer of the solution. I don't remember the version of the solution. I work with multiple versions of the tool.
What do I think about the stability of the solution?
I have no problem with the security of the solution. Stability-wise, I rate the solution a ten out of ten.
What do I think about the scalability of the solution?
It is a scalable solution. Scalability-wise, I rate the solution a ten out of ten.
I think in my country, not too many of our customers use the tool. I think around 50 or 60 percent of the customers use the tool.
The medium and big businesses use the tool.
How are customer service and support?
I have not encountered any situation related to the tool that required me to contact the solution's technical support team. In some of the other cases not related to the tool, the tech team's support has been very good. I rate the support team as a nine out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
The product's initial setup phase is easy. If one is difficult and ten is easy, I rate the setup process as a nine to ten.
The product's deployment phase is easy. You just need to understand the solution and enable the feature in the security policy, which just takes some minutes.
The solution is deployed on the private cloud.
The solution can be deployed very quickly, but it would take one or two weeks to understand the tool before we try to deploy it.
What's my experience with pricing, setup cost, and licensing?
If one is very cheap and ten is very expensive, I rate the tool's price as two.
Palo Alto Networks DNS Security is a very cheaply priced tool compared to other competitors.
What other advice do I have?
There are two approaches my customers can use to integrate the tool into the existing network security framework. With the tool in place, we can enable data security in the policy in NGFW. The second approach is if you go for Infoblox DNS, we can enable its features in Palo Alto Networks DNS Security. Palo Alto Networks DNS Security is an add-on in NGFW from Palo Alto, and it is also an add-on feature in the data server from Infoblox. We do not need to integrate something like APIs in the tool to enable the rest of its features.
I don't know how to say the predictive analytics of the solution works, but it is very important besides the signature-based protection method. The predictive analytics method is very important to stop zero-day attacks.
I recommend the tool to others.
I rate the tool a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: consultant
Last updated: Sep 25, 2024
Flag as inappropriateBuyer's Guide
Palo Alto Networks DNS Security
November 2024
Learn what your peers think about Palo Alto Networks DNS Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Senior Technical Project Manager at a university with 10,001+ employees
Mature with good scalability and an easy initial setup
Pros and Cons
- "The stability is excellent and the product is very mature."
- "Every vendor that sells DNS or firewalls needs to be able to protect against DNS look-up attacks and DNS naming hacks. This is true of Palo Alto as well as others."
What is our primary use case?
We primarily use the solution for security reasons.
What is most valuable?
Palo Alto has a range of products. They have very secure 600 DNS as well as 100 DNS. They have anti-hacking features which are quite useful. They have virus protection within the firewall.
They have other products that are geared towards protecting the DNS. All of their product line is highly secure with built-in security. You can protect DNS within the firewall as most of the features are built-in. It's not like a product within the firewall. It's already built-in.
The initial setup is very, very straightforward.
The scalability is good.
The stability is excellent and the product is very mature.
What needs improvement?
Every vendor that sells DNS or firewalls needs to be able to protect against DNS look-up attacks and DNS naming hacks. This is true of Palo Alto as well as others.
The IDS and IPS should be built-in. With EDS and IDS, some are proud to have built-in IDS and IPS intrusion protection and intrusion detection as some vendors sell IDS and IPS separately. They shouldn't be separate. Instead of selling two products, it really should just be one.
For how long have I used the solution?
I've been using the solution for about six years at this point. It's been a while.
What do I think about the stability of the solution?
The solution is a very mature product. That's what I like about Palo Alto. They said they don't have breaches on their firewall. There are no bugs or glitches. It doesn't crash or freeze. It's great.
What do I think about the scalability of the solution?
Cisco and Palo Alto, right off the bat, are very scalable. That's why I'm studying cloud computing, as, right now, all of the cloud computing platforms have automation and start with automation. We're going away from humans having to configure routers, switches, stories, and firewalls. Everything is done through automation in the stack as well as through virtualization. Maybe in five years, we'll then have so many Cisco routers engineers, NetApp engineers, who would be mostly working through virtualization and the cloud.
How are customer service and technical support?
Palo Alto has a very mature library of documentation. That's what I like about Palo Alto. They don't have so many breaches so, and you're dealing with a good mature product.
You can go and visit the support webpage and check the size of their tech support libraries. If it's huge, then you know you have a product that has, let's say, a lot of incidents, so you maybe want to stay away from it.
Which solution did I use previously and why did I switch?
I'm in the process of certifying for cloud computing, Amazon cloud computing. I'm focusing not so much on hardware, but on the solutions that Amazon has. We deal primarily with Route 53, which is the Amazon product, which has built-in security features within the configuration of Route 53.
I have experience with Cisco, which is pretty easy to set up.
Sonicwall and Sophos I don't use at all.
Checkpoint is not an easy firewall to set up, although is a very good firewall. Checkpoint has also been around for a very long time and it still has instruction sets and comments. It's software-driven, most of the time.
How was the initial setup?
The initial setup is not complex. That's the beauty about Palo Alto. If you set up a firewall, it is very easy and very straightforward. Unlike other vendors, the two firewalls that are easiest to set up are Cisco and Palo Alto. The other vendors are a little bit more work.
What's my experience with pricing, setup cost, and licensing?
I'm more focused on supporting the product, I don't buy it. I go to the webpage and I see prices, however, I don't pay too much attention to the cost. I'm more interested in the product features and doing the work and the support than actually buying the product.
It's my understanding that they are closely competitive with Cisco, and likely their pricing is on par.
What other advice do I have?
We are customers and end-users.
I'm not sure which version of the solution we're using.
I'm currently during training with new virtual firewalls.
DNS is a very ancient protocol. The protocol 53 and the UCP and so on, and ARP. We need to review that architecture due to the way we do networking is open to hacking. People can poison the cache, and therefore we need to look at a way of doing away with ARP, doing away with the UCP and having, let's say, the address convert automatically into the IP address and do away with IP version 6. IP version 6 was a total mess. Although the protocol works, it consumes too much overhead and it's too much of a fat protocol. It uses 64 bit, 128 bit, hex addressing at the Mac layer and also at the network layer when using hex.
We need to stick with expanding IP version 4, data in notation. That works at a human level better than working at the network layer. When you use, let's say, IP version 6 it is very difficult to troubleshoot. It's a lot easier to troubleshoot IP version 4, that it's decimal and hex at the network layer. It's a lot easier to identify patterns, easier for the eye to be able to recognize that something is negative or to understand how protocols are working or how routing is working.
Right now, most companies operate with all the DNS. What's surrounding the DNS are the firewalls, intrusion protection and detection, load balancing, fault tolerance et cetera. Other than that, we don't have a secure DNS. That's why we need to reinvent networking. We need to switch to a new method of networking, where we have a truly secure DNS. Without the DNS the internet does not work. That's like having a store open to pirates. DNS is the best thing that has been invented, as far as the internet goes, as that's what allows the browsers to work, that's what allows network solutions to work. Without it we're dead.
I'd rate the solution at an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer at a educational organization with 11-50 employees
We can actively see how many thousands of malicious requests have gotten knocked down in the last day or week that we didn't know before
Pros and Cons
- "We now have insight into our DNS requests and we can actively see how many thousands of malicious requests have gotten knocked down in the last day or week that we didn't have before. There's more insight for both security and more insight."
- "I'm not really sure what needs improvement. The only hiccup I've really seen is a couple of the DNS requests get flagged as the Sophos traffic instead of DNS traffic, but that's more of their app detection in the DNS Security. I haven't really seen any issues with the DNS security."
What is our primary use case?
Our primary use case is for preventing malware and malicious requests.
How has it helped my organization?
We now have insight into our DNS requests and we can actively see how many thousands of malicious requests have gotten knocked down in the last day or week that we didn't know before. There's more security and more insight.
The fact that the solution detects five times more malicious, newly registered domains and more than nine days faster than the in industry average, affects our security posture by blocking the bleeding edge malicious attacks. In theory, it just keeps us a few branches up from everybody else so we won't get hit.
We are moving towards a Zero Trust Architecture but not necessarily directly. We are in the process of trying to deploy a PAM that is in the direction of Zero Trust. It's very convenient that we can just put it in line, turn it on, and watch it go.
What is most valuable?
The autofocus piece that gives us insights into how many requests we have and how many malicious requests get denied is the most valuable feature. We didn't really have eyes on the DNS queries. We had some filtering done, but we didn't know which pieces it knocked down and how much work it was doing.
The comprehensiveness of DNS Security against emerging DNS layer threats is very good. They seem to have updates nearly daily.
My understanding is that it would protect against DNS tunneling, rebinding, and dangling DNS attacks. Any of the malicious-type attacks, like getting blocked, are important for us because we're trying to keep our network secure.
Features specifically relevant to DNS Security, like proactively digging for potential cybercriminal activities, C2, phishing, and grayware hosting are very important to us because they're malicious attempts at the network and Palo Alto knocks it down.
What needs improvement?
I'm not really sure what needs improvement. The only hiccup I've really seen is a couple of the DNS requests get flagged as the Sophos traffic instead of DNS traffic, but that's more of their app detection in the DNS Security. I haven't really seen any issues with the DNS security.
For how long have I used the solution?
I have been using Palo Alto for around two years.
What do I think about the stability of the solution?
It's been very robust. You check the box and watch it work.
What do I think about the scalability of the solution?
It covered our whole network without us having to really tweak anything. The one adjustment we had to make is that we had to make the DNS lookup timeouts slightly longer, but as soon as we contacted support, they knew to do that and gave us the instructions on how to do it.
We support 47 different school districts and they all come to us and pull through. It fluctuates and they manage their end of the network.
At this point, we have two Egresses and it's on both Egresses fully.
Eight of us on the team work with Palo Alto. We mostly do the LAN side of the network.
How are customer service and support?
My only qualm with them is that sometimes they work off-hours compared to our time zone.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't really have a solution before and we didn't have any eyes on our DNS requests, as far as what was malicious and what was expected traffic.
How was the initial setup?
The initial setup was straightforward. You just set up a security profile and attach it to your rules and it filters DNS requests.
We did it all together when the firewalls were deployed in the beginning. I'm not sure how long the DNS Security piece took.
What about the implementation team?
Palo Alto sales engineers helped us deploy it. Our experience with them was very good. They're very knowledgeable and very helpful.
What was our ROI?
We have eyes and security in a place we didn't before, so that's at least worth something.
What's my experience with pricing, setup cost, and licensing?
I wasn't too involved in the pricing piece of this, but we're an educational-type institution and we were able to make it work. I think the pricing is good.
Which other solutions did I evaluate?
We were replacing our outward-facing firewall but we mostly shop between Cisco and Palo Alto.
We were looking at Palo Alto as a whole for the firewall, not just the DNS Security filtering. As a whole, we like the management, features, and subscriptions that Palo Alto has compared to Cisco.
We've been really happy with it. And it seems like even with the web security piece doing some inspection, Palo Alto does more. With Palo Alto having the near-constant updates, they're usually cutting down newer malicious DNS requests before the others could.
What other advice do I have?
Turn it on and run it and see how many DNS requests you were missing before.
The biggest lesson I have learned is that we have a lot more malicious requests than we thought we did.
I would rate Palo Alto Networks DNS security a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Consultant at a tech services company with 501-1,000 employees
User friendly, zero-configuration, and priced fair
Pros and Cons
- "When comparing other cloud-based DNS security solutions to this one I have found the main beneficial feature in this solution to be we do not need to change our architecture."
- "There should be an on-premise version of this solution."
What is our primary use case?
This is a subscription-based solution that you need to procure for our firewall that provides DNS security. We use this solution for all of our on-premise and remote users. It is used in any servers which are connected over the internet or the users who are trying to reach the internet.
What is most valuable?
When comparing other cloud-based DNS security solutions to this one I have found the main beneficial feature in this solution we do not need to change our architecture. There was no need to change the configuration or to do any modification to the user's end. The user's DNS will be the same, the traffic will flow through the same firewall, and it will give us the DNS level security. For other OEMs or other solutions, we need to map their DNS to the public DNS and there is a need to modify the DNS at the user level. Additionally, the solution works in real-time and it is easier to deploy users. For example, to deploy 1,000 - 2,000 users having to do the modifications in each user's IT environment would take a lot of time.
Additionally, I have found the solution to be very user-friendly.
What needs improvement?
There should be an on-premise version of this solution. There are companies that have asked for a solution that is on-premise. The reason for this is some companies might want to have control of where their traffic is going. For example, banking companies do not want their DNS queries or any such traffic to be sent over the cloud, because the cloud can be inside India or anywhere. This is why they might want the solution to be on-premise to allow them to have full control of the security.
For how long have I used the solution?
I have been using the solution within the last 12 months.
What do I think about the stability of the solution?
The solution is very reliable and stable. It intercepts DNS traffic and it can block unwanted traffic and forward it elsewhere.
What do I think about the scalability of the solution?
The solution is highly scalable since it is in the cloud. We have approximately 50 users using the solution. Between my customers, they have a user base of 10 to 10,000 users using the solution.
How are customer service and technical support?
The technical support is responsive.
How was the initial setup?
Since it is a subscription, all you need to do is activate the license to use it.
What's my experience with pricing, setup cost, and licensing?
There is an annual license for the solution and I am satisfied with the pricing.
Which other solutions did I evaluate?
We did evaluate other options.
What other advice do I have?
My advice to those wanting to implement Palo Alto Next-generation Firewalls, VM-Series, K2, or any other firewall from Palo Alto, I would recommend them to enable DNS Security.
I rate Palo Alto Networks DNS Security a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Palo Alto Networks DNS Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Domain Name System (DNS) SecurityPopular Comparisons
Cisco Umbrella
Infoblox Advanced DNS Protection
TitanHQ WebTitan
Infoblox BloxOne Threat Defense
F5 BIG-IP DNS
Akamai Secure Internet Access Enterprise
BlueCat Edge
EfficientIP DNS Firewall
Buyer's Guide
Download our free Palo Alto Networks DNS Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which product do you prefer: Cisco Umbrella or Palo Alto Networks DNS Security?
- Which solution is better: Cisco Umbrella or Palo Alto Networks DNS Security?
- When evaluating DNS Security, what aspect do you think is the most important to look for?
- Why is Domain Name System (DNS) Security important for companies?
- What DNS security tool do you recommend?
- Why is domain name system security important?
- How does Infoblox stand out when compared to other solutions like Cisco Umbrella and Palo Alto Networks Prisma Cloud?
- How can I connect MEGA HOPEX to a domain using an active director?
- Which Linux OS solution is better for running DNS software for a telecom company?