Question 15 - Palo Alto Networks PSE-Strata-Pro-24 Real Exam Questions [Jan 2026 Update]

Q: 15

Which technique is an example of a DNS attack that Advanced DNS Security can detect and prevent?

Options

Correct Answer:

Explanation

Advanced DNS Security on Palo Alto Networks firewalls is designed to identify and prevent a wide

range of DNS-based attacks. Among the listed options, "High entropy DNS domains" is a specific

example of a DNS attack that Advanced DNS Security can detect and block.

Why "High entropy DNS domains" (Correct Answer A)?

High entropy DNS domains are often used in attacks where randomly generated domain names (e.g.,

gfh34ksdu.com) are utilized by malware or bots to evade detection. This is a hallmark of Domain

Generation Algorithms (DGA)-based attacks. Palo Alto Networks firewalls with Advanced DNS

Security use machine learning to detect such domains by analyzing the entropy (randomness) of DNS

queries. High entropy values indicate the likelihood of a dynamically generated or malicious domain.

Why not "Polymorphic DNS" (Option B)?

While polymorphic DNS refers to techniques that dynamically change DNS records to avoid

detection, it is not specifically identified as an attack type mitigated by Advanced DNS Security in

Palo Alto Networks documentation. The firewall focuses more on the behavior of DNS queries, such

as detecting DGA domains or anomalous DNS traffic patterns.

Why not "CNAME cloaking" (Option C)?

CNAME cloaking involves using CNAME records to redirect DNS queries to malicious or hidden

domains. Although Palo Alto firewalls may detect and block malicious DNS redirections, the focus of

Advanced DNS Security is primarily on identifying patterns of DNS abuse like DGA domains,

tunneling, or high entropy queries.

Why not "DNS domain rebranding" (Option D)?

DNS domain rebranding involves changing the domain names associated with malicious activity to

evade detection. This is typically a tactic used for persistence but is not an example of a DNS attack

type specifically addressed by Advanced DNS Security.

Advanced DNS Security focuses on dynamic, real-time identification of suspicious DNS patterns, such

as high entropy domains, DNS tunneling, or protocol violations. High entropy DNS domains are

directly tied to attack mechanisms like DGAs, making this the correct answer.

Reference: According to Palo Alto Networks Advanced DNS Security documentation, detecting high

entropy domains is a core feature of the service, leveraging machine learning and behavioral analysis

to identify and block such malicious activities.

FLASH OFFER