New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks NetSec-Pro Exam - Topic 2 Question 7 Discussion

Actual exam question for Palo Alto Networks's NetSec-Pro exam
Question #: 7
Topic #: 2
[All NetSec-Pro Questions]

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?

Show Suggested Answer Hide Answer
Suggested Answer: C

Advanced DNS Security uses a signature policy to sinkhole malicious DNS queries and prevent them from resolving.

''The DNS Security service integrates with Anti-Spyware profiles, and you must configure signature policy settings to sinkhole malicious queries. This proactively stops traffic to known malicious domains.''

(Source: Configure DNS Security)

Sinkholing ensures that DNS queries to malicious FQDNs are redirected to a safe IP, preventing compromise.


by Casey at Jul 03, 2025, 04:26 PM

Limited Time Offer

25%

Off

Get Premium NetSec-Pro Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Rosina
2 months ago
I think enabling Advanced Threat Prevention first makes more sense.
upvoted 0 times
...
Nidia
2 months ago
Creating overrides for FQDNs is also important, though.
upvoted 0 times
...
Cory
3 months ago
I agree, option C is the way to go!
upvoted 0 times
...
Holley
3 months ago
Wait, are we really sure about that? Seems too straightforward.
upvoted 0 times
...
Rueben
3 months ago
You definitely need to configure DNS Security signature policy settings.
upvoted 0 times
...
Rory
3 months ago
I recall that decrypting DNS-over-TLS traffic is important, but I’m not confident if that’s the very first thing we should do.
upvoted 0 times
...
Ettie
4 months ago
I practiced a similar question, and I feel like enabling Advanced Threat Prevention with default settings might not be the best initial step. We should be more proactive.
upvoted 0 times
...
Paola
4 months ago
I'm not entirely sure, but I remember something about needing to create overrides for FQDNs. Is that really necessary right away?
upvoted 0 times
...
Samuel
4 months ago
I think the first step should be to configure the DNS Security signature policy settings. That seems crucial for blocking malicious queries.
upvoted 0 times
...
Alyce
4 months ago
I'm a little confused by this one. The question is specifically about the initial configuration of the Advanced DNS Security service, but some of the options seem to be more about the broader security setup, like the decryption policy and enabling Advanced Threat Prevention. I'm not sure if those would be the right first steps. I think I'll need to review the Palo Alto documentation more carefully to make sure I understand the proper sequence of steps for setting up the Advanced DNS Security service.
upvoted 0 times
...
Peggie
4 months ago
Okay, let's see here. The question is asking about the initial configuration of the Advanced DNS Security service, so I think the answer is probably either B or C. Creating overrides for company-owned FQDNs or configuring the DNS Security signature policy settings both seem like logical first steps to me. I'll need to double-check the details, but I'm feeling pretty confident about those two options.
upvoted 0 times
...
Terry
5 months ago
Hmm, I'm a bit unsure about this one. The question is specifically asking about the initial configuration, so I'm not sure if creating a decryption policy or enabling Advanced Threat Prevention would be the right first step. I'm leaning towards either option B or C, but I'll need to think it through a bit more.
upvoted 0 times
...
Colette
5 months ago
This one seems pretty straightforward. I think the key is to focus on the initial configuration of the Advanced DNS Security service, so I'd go with option C - configuring the DNS Security signature policy settings to sinkhole malicious DNS queries.
upvoted 0 times
...
Lettie
6 months ago
Haha, this exam is really testing our DNS security knowledge. I bet the network admin who set this up is laughing at us right now.
upvoted 0 times
...
Crista
6 months ago
A is definitely not it. Decrypting DNS-over-TLS traffic? That's just asking for trouble!
upvoted 0 times
...
Lili
6 months ago
B looks interesting, but I'm not sure overriding all company FQDNs is the initial configuration step. Hmm, tough one.
upvoted 0 times
...
Lina
7 months ago
D seems like the easiest option, but I doubt that's the correct answer. We need to focus on the Advanced DNS Security service specifically.
upvoted 0 times
Delfina
5 months ago
A) Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic.
upvoted 0 times
...
Hollis
6 months ago
C) Configure DNS Security signature policy settings to sinkhole malicious DNS queries.
upvoted 0 times
...
France
6 months ago
A) Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic.
upvoted 0 times
...
...
Kristal
7 months ago
I agree with Johnson, C seems like the best option to protect the network.
upvoted 0 times
...
Johnson
7 months ago
But setting up sinkholing for malicious DNS queries is crucial for security.
upvoted 0 times
...
Denna
8 months ago
I think C is the right answer. Sinkholing malicious DNS queries is key to the Advanced DNS Security service.
upvoted 0 times
Trina
6 months ago
Yes, it helps prevent users from accessing malicious websites.
upvoted 0 times
...
Francis
6 months ago
I agree, sinkholing malicious DNS queries is crucial for security.
upvoted 0 times
...
Nida
7 months ago
Yes, that's a good point. It's important to have a comprehensive approach to DNS security.
upvoted 0 times
...
Alaine
7 months ago
I think we should also consider creating overrides for company owned FQDNs.
upvoted 0 times
...
Darci
7 months ago
I agree, sinkholing malicious DNS queries is crucial for security.
upvoted 0 times
...
...
Cristy
8 months ago
I disagree, I believe the answer is A.
upvoted 0 times
...
Johnson
8 months ago
I think the answer is C.
upvoted 0 times
...

Save Cancel