C & D are Correct. - https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812 ---Deals with 100K limit - https://docs.paloaltonetworks.com/threat-prevention ---Deals with DNS Security feature and how to buy and activate it.

According to PCNSA Study guide of PanOS 11 (Jan 2023 version) Pag 96: "Licenses are activated from the Palo Alto Networks Customer Support Portal and must be active before DNS analysis can take place" So, that's exclude A and make correct the second statement of C; also the first statement seems correct. For what concerning D, I think it is not correct. From https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures "Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures"; this means that the limit for DNS downloaded from DNS updates is the same since it is hard-coded even after its activation. Infact, as answer B says, It is a system that resolve the limitation by eliminating the need for dynamic DNS updates. D would have been correct if they had substituted the word "removes" with "resolves".

Correctly answer should be B & C D is incorrect. the downloaded DNS updates still have 100k limitation hardcoded, the new DNS security cloud service doesn't "remove" the 100K limit for DNS entries for the downloaded DNS updates. https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812 "New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. " https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures ”downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures“

According to this article: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures 1) Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated through advanced analysis. So D is correct. 2) To better accommodate the influx of new DNS signatures being produced on a daily basis, the cloud-based signature database provides users with instant access to newly added DNS signatures without the need to download updates. So B is correct. It eliminates the need for dynamic DNS updates.

C&D A: incorrect, you need to attach an anti-spyware profile to the rule that has this feature enabled. B: incorrect, dynamic DNS serves a whole other purpose, has nothing to do with DNS lookups (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/dynamic-dns-nfg.html) C: correct, they are probably referring to the additional license you have to acquire, similar to the URL filtering license. D: correct, DNS security aims to provide a better alternative for the DNS signature downloads, by making it cloud-based, thus eliminating the need for downloading the DNS database locally (which apparently is limited to 100k entries)

https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812

Agree with drogadot, A.Nope, It’s not auto enabled and configured and requires activation through the app portal B.Yup, Because it leverages the data in the cloud so you don’t need to download it locally C.Yup, see A & B D.Nope, the local database hard coded limit of 100k did not magically disappear, it’s still there, you will just not get limited by it because you are referencing/using a cloud based database.

BC for same reasons as said drogadotcom

It's not automatically anything if you must purchase it. C and D but, the answers are too vague.

B. It eliminates the need for dynamic DNS updates. C. It functions like PAN-DB and requires activation through the app portal

C. It functions like PAN-DB and requires activation through the app portal. Similar to other Palo Alto Networks security services like PAN-DB, the DNS Security service needs to be activated through the app portal. This activation ensures that the service is properly set up and configured to start protecting against DNS-based threats. D. It removes the 100K limit for DNS entries for the downloaded DNS updates. One of the enhancements provided by the DNS Security service is that it removes the previous limitation of 100,000 DNS entries. This allows for a more comprehensive and extensive database of DNS signatures and threat intelligence to be used for detecting and preventing DNS-based threats.

This on-demand cloud database provides users with access to the complete Palo Alto Network’s DNS signature set, including signatures generated using advanced analysis techniques, as well as real-time DNS request analysis. Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated through advanced analysis. To better accommodate the influx of new DNS signatures being produced on a daily basis, the cloud-based signature database provides users with instant access to newly added DNS signatures without the need to download updates. If network connectivity goes down or is otherwise unavailable, the firewall uses the onbox DNS signature set.

According to this: https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures

B D is answer

C&D are correct

B, D are correct

B - There's no downloaded signature anymore, all the queries occur in real time accessing Palo Alto cloud services. D - As no downloaded signatures are needed, it removes the 100k limitation.