Skip to main content

Netskope Help

DNS Security


You must have the Cloud Firewall and DNS licenses to use DNS Security. This feature is available with IPSec, GRE, or Netskope Client traffic steering methods.

DNS Security is a Cloud Firewall feature that provides protection for DNS services. This feature allows you to identify and block malicious DNS requests. You can apply domain blocking categorically to prevent your users from connecting to unsafe domains. This allows you to stop or sinkhole connections to newly registered domains, DGA domains, and others that aren’t yet classified as malicious. You can also allow or block DNS tunnels and protect against unauthorized data transfers using those tunnels. Netskope updates the threat database every 15 minutes to protect your data against the latest threats.


DNS Security is unavailable for IPv6 traffic, as Netskope doesn’t support IPv6 in Cloud Firewall.


The primary steps to configure DNS Security include:

  1. Create a steering configuration to steer DNS traffic to the Netskope cloud.

  2. Create a DNS exception for your steering configuration. You should bypass local domains by specifying them in the steering exceptions.

  3. Create a DNS Profile to define the actions taken for different domain categories. For example, you can block all domains that fall under the phishing category.

  4. Create a Real-time Protection policy for the DNS profile you created.


Netskope Proxy applies DoH (DNS over HTTPS) policies per tenant policy configuration.

Once you enable your policy, all detected DNS threats are captured in Alerts. If a log all DNS configuration is set for debugging purposes, then those events are captured under Network Events.