The Domain Name System (DNS) remains one of the most frequently targeted attack vectors. According to the Verizon 2024 Data Breach Investigations Report, ransomware and extortion techniques are involved in roughly 32% of breaches, and attackers frequently rely on infrastructure services such as DNS to establish command-and-control (C2) communication and maintain persistence within compromised environments. In practice, a single DNS request from a user’s device can quietly become the first step in a much larger attack.

As work becomes increasingly distributed, DNS activity is no longer confined to the corporate network. Employees move between networks throughout the day. They start at home, head to the office, and maybe later connect from a coffee shop. Each environment introduces new risks, yet security has historically been tied to the network, not to the user or their location. For many organizations, this constant movement raises a simple but important question: How do you protect your users no matter where they connect?

This model assumes that protection is strongest inside the corporate perimeter and weakest outside of it, but modern work has flipped that assumption. As users become more mobile, their organization’s visibility into their activity becomes more fragmented, creating gaps that attackers are eager to exploit.

Blocking malicious domains at the DNS resolution stage stops threats before connections are established, shifting protection earlier in the attack lifecycle and preventing attacks before they progress further in the kill chain.

The challenge now is both securing the network and providing enterprise-grade protection that follows users wherever they work. The combination of the Prisma^® Agent and Advanced DNS Security Resolver begins to reshape what always-on DNS security means. It enables organizations to extend protection beyond traditional network boundaries and directly to their users.

The Off-Tunnel Problem No One Can Ignore

A particularly risky moment occurs when users are “off-tunnel.” They often disconnect their security agent to bypass a hotel’s captive portal, circumvent local site restrictions or resolve underlying network connectivity issues. These situations occur frequently in everyday work environments and often go unnoticed by users, who might not realize the security implications.

In these moments, the device silently reverts DNS traffic to an unmonitored local ISP resolver that the organization does not control. For the security team, visibility into that activity suddenly disappears, creating a significant last-mile visibility gap. Compounding the problem, traditional resolvers were built for speed, not security. They lack the inline inspection required to catch sophisticated threats.

This visibility gap matters because modern attacks move quickly. According to the 2026 Unit 42® Global Incident Response Report, attackers can move from initial access to data exfiltration in as little as 72 minutes, making real-time detection and prevention critical. Advanced DNS Security Resolver provides these capabilities to stop DNS-based threats before they progress further into the attack chain.

Consequently, when a user disconnects, they enter a blind spot where risks, such as DNS hijacking, DNS tunneling and malicious C2 communication, can operate unnoticed. From an organizational perspective, this situation creates a critical window where attackers can establish a foothold without detection. Extending Advanced DNS Security Resolver via the Prisma Agent closes this persistent gap, providing protection that travels with the device, regardless of whether the main tunnel is active.

Prisma Agent as Your Always-on DNS Security Layer

The Prisma Agent transforms endpoint resilience by acting as an intelligent DNS guardian. Instead of waiting for a full network connection to be established, the agent establishes active DNS protection the moment the device comes online. Even if the user disconnects from the network or tunnel, DNS traffic is automatically routed to the Palo Alto Networks Advanced DNS Security Resolver, ensuring the same Advanced DNS Security protections that are delivered by NGFW and Prisma Access.

This level of security enables users to remain protected even when connecting from unfamiliar or untrusted networks.

In this model, Prisma Agent acts as the always-on delivery mechanism, while Advanced DNS Security Resolver provides the centralized security engine. This mechanism automatically intercepts DNS queries and forwards them to our resolvers over an encrypted connection. Even on an untrusted public network, this approach allows our industry-leading Precision AI^® technology, which provides inline prevention capabilities, to inspect every query. Malicious traffic is identified and blocked before a connection is ever established.

What Advanced DNS Security Resolver Means for Real-World Protection

With Advanced DNS Security Resolver, organizations gain meaningful improvements across the entire security lifecycle, while enabling users to work freely without sacrificing protection.

Advanced DNS Security Resolver protection flow

These capabilities deliver several real-world security benefits:

• Real-time zero-day prevention: Detects and stops emerging DNS-based threats in real time using Precision AI technology before they reach a user.
• Prevention of patient zero: Block malicious connections at the DNS layer before malware can establish a C2 connection.
• Persistent acceptable use: Enforce content policies even when users disconnect from the corporate tunnel.
• Seamless user experience: Allow access to local resources, such as hotel portals and printers, without compromising security.
• Continuous visibility: Maintain user-level DNS telemetry and threat visibility even when the tunnel is inactive.

One Policy, Everywhere

From an operations standpoint, the experience is simple and unified. Security teams define their DNS security policies once in Strata™ Cloud Manager, and the Prisma Agent enforces them across all supported Windows and macOS devices.

Organizations don’t need separate roaming agents or fragmented visibility. Whether a user is at a customer site, a home office, or traveling internationally, the same high-fidelity DNS security applies. You gain consistent protection without the complexity of managing multiple tools or policies. This unified model simplifies management and provides a clearer view of threats across the environment by correlating DNS signals with other security data.

Security That Keeps up with Modern Work

The reality is simple: Hybrid work is here to stay, and security must adapt. Perimeter-based models are no longer sufficient when work happens across multiple locations and networks. Organizations need security that can move with their workforce.

Bringing together Prisma Agent and Advanced DNS Security Resolver provides a modern, flexible approach to protection. Advanced DNS Security Resolver uses Precision AI to block billions of threats daily, while Prisma Agent ensures that protection follows users wherever they connect.

Your users no longer have to choose between flexibility and safety. With Prisma Agent and Advanced DNS Security Resolver working together, your organization can deliver consistent protection and visibility wherever work happens.

Ready to close your last-mile visibility gap? Connect with your Palo Alto Networks representative or learn more about Advanced DNS Security to see how Precision AI helps stop DNS-based threats in real time.