DNS Filtering and Events
Connection events generated by DNS filtering are logged using the following fields: DNS Query, URL Category, URL Reputation, and Destination Port. The DNS Query field holds the domain name; the URL field will be blank for DNS filtering matches. The Destination Port will be 53.
Also:
-
When the access control rule action is Allow or Trust, two connection events will be generated for the same traffic, one for DNS filtering (with the DNS Query field populated) and one for URL filtering (with the URL field populated).
-
The first time the system encounters a particular URL, you will see two events for that single session: One event showing uncategorized/reputationless for the DNS Query, and one event showing the actual category and reputation for the URL, which were retrieved during the DNS Query and applied to the session while processing using standard URL filtering.