The earliest recollection of this bug is traced back to PAN-OS 9.1.3 - July 29, 2024.
This bug is fixed in PAN-OS versions 9.1.3.
Fixed an issue where the firewall dropped DNS requests for root servers when the action of the DNS security signature was set to alert or sinkhole in an Anti-Spyware Security profile.
For more information:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-3-addressed-issues
