DNS rules

A DNS rule is a Security Intelligence component that

  • handles traffic based on the domain name requested by a host,

  • operates after any traffic decryption and before access control evaluation, and

  • matches traffic in the order specified, with the system handling network traffic according to the first DNS rule where all the rule's conditions match the traffic.

DNS rule components

In addition to its unique name, each DNS rule has these basic components:

  • State: By default, rules are enabled. If you disable a rule, the system does not use it to evaluate network traffic, and stops generating warnings and errors for that rule.

  • Position: Rules in a DNS policy are numbered, starting at 1. The system matches traffic to rules in top-down order by ascending rule number. With the exception of Monitor rules, the first rule that traffic matches is the rule that handles that traffic.

  • Conditions: Conditions specify the specific traffic the rule handles. A DNS rule must contain a DNS feed or list condition, and can also match traffic by security zone, network, dynamic attributes, or VLAN.

  • Action: A rule's action determines how the system handles matching traffic.

A rule's action determines how the system handles matching traffic:

  • Traffic with a Do Not Block action is allowed, subject to further access control inspection.

  • Monitored traffic is subject to further evaluation by remaining rules on the DNS Block list. If the traffic does not match a DNS Block list rule, it is inspected with access control rules. The system logs a Security Intelligence event for the traffic.

  • Traffic on a Block list is dropped without further inspection. You can also return a Domain Not Found response, or redirect the DNS query to a sinkhole server.