The primary function of the Advanced DNS Security service is to identify and mitigate threats by inspecting DNS queries. A fundamental initial configuration step is to define the action the firewall should take upon detecting a malicious DNS query. Configuring the DNS Security signature policy within an Anti-Spyware profile to "sinkhole" malicious queries is a core part of this setup. Sinkholing redirects the malicious request to a controlled server, which prevents the user from connecting to the malicious domain and helps administrators identify the compromised host that initiated the query. This is a direct and essential action to make the service effective from the start.

A: Decrypting DNS-over-TLS is a best practice for comprehensive visibility but not a mandatory initial step. The service can still inspect and block standard, unencrypted DNS traffic (UDP/53) without this rule.

B: Creating overrides for company FQDNs is a tuning or customization step to prevent potential false positives. It is typically performed after the core protective policies are already in place and running.

D: This option refers to configuring Advanced Threat Prevention (ATP), which is a separate service from Advanced DNS Security. The question specifically asks about the initial setup for the DNS Security service.

1. Palo Alto Networks - Configure DNS Security: "To use DNS Security

you must configure an Anti-Spyware profile to specify how the firewall handles DNS queries to malicious domains and apply the profile to a security policy rule... For DNS Signatures

select a single action... sinkhole: The firewall forges a response to a malicious DNS query to redirect the requesting client to a Palo Alto Networks sinkhole server..." This document establishes that configuring the action (like sinkhole) in the Anti-Spyware profile is the primary method to enable DNS Security.

Source: Palo Alto Networks TechDocs

"Configure DNS Security

" PAN-OS 10.2.

2. Palo Alto Networks - DNS Sinkhole: "DNS sinkholing is a mechanism that forges a response to a DNS query for a malicious domain and causes the victim to connect to a sinkhole IP address that you define." This reference defines the core action described in the correct answer.

Source: Palo Alto Networks TechDocs

"DNS Sinkhole

" PAN-OS 10.2.

3. Palo Alto Networks - DNS Security vs. Advanced DNS Security: "Advanced DNS Security... provides advanced protections

such as DNS-tunneling detection

and the use of machine learning to provide real-time identification and prevention of malicious domains." This highlights that DNS Security's core is preventing access to malicious domains

a function enabled by the policy action in option C.

Source: Palo Alto Networks TechDocs

"DNS Security

" PAN-OS 10.2.

4. Palo Alto Networks - Decryption Concepts: "To gain visibility into and control over SSL and SSH encrypted traffic

you can configure the Palo Alto Networks firewall to decrypt traffic..." This confirms that decryption is a separate

albeit related

configuration for handling encrypted traffic

not the primary setup for the DNS Security feature itself.

Source: Palo Alto Networks TechDocs

"Decryption Concepts

" PAN-OS 10.2.