DNS rule actions

A DNS rule action is a configuration setting that

  • determines handling for matching traffic, governing whether the system will block, not block, or monitor traffic based on rule conditions,

  • controls logging behavior, determining when and how details about matching traffic are recorded, and

  • impacts action prioritization when configured with TID.

DNS rule action types

DNS rules support these action types:

  • Do Not Block: Allows traffic to pass to the next phase of inspection, which is access control rules. The system does not log Do Not Block list matches. Logging of these connections depends on their eventual disposition.

  • Monitor: Forces connection logging; matching traffic is neither immediately allowed nor blocked. Traffic is matched against additional rules to determine whether to permit or deny it. The first non-Monitor DNS rule matched determines whether the system blocks the traffic. If there are no additional matching rules, the traffic is subject to access control evaluation. For connections monitored by a DNS policy, the system logs end-of-connection Security Intelligence and connection events to the Cloud-Delivered Firewall Management Center database.

  • Drop: Drops the traffic without further inspection.

  • Domain Not Found: Returns a non-existent internet domain response to the DNS query, which prevents the client from resolving the DNS request.

  • Sinkhole: Returns a sinkhole object's IPv4 or IPv6 address in response to the DNS query (A and AAAA records only). The sinkhole server can log, or log and block, follow-on connections to the IP address. If you configure a Sinkhole action, you must also configure a sinkhole object.

Logging behavior varies based on the action type:

  • For a connection blocked based on the Drop or Domain Not Found actions, the system logs beginning-of-connection Security Intelligence and connection events. Because blocked traffic is immediately denied without further inspection, there is no unique end of connection to log.

  • For a connection blocked based on the Sinkhole action, logging depends on the sinkhole object configuration. If you configure your sinkhole object to only log sinkhole connections, the system logs end-of-connection connection events for the follow-on connection. If you configure your sinkhole object to log and block sinkhole connections, the system logs beginning-of-connection connection events for the follow-on connection, then blocks that connection.