DNS Policy Components

Each DNS policy must have a unique name. A description is optional.

Rules provide a granular method of handling network traffic based on the domain name. Rules in a DNS policy are numbered, starting at 1. The system matches traffic to DNS rules in top-down order by ascending rule number.

When you create a DNS policy, the system populates it with a default Global Do-Not-Block List for DNS rule and a default Global Block List for DNS rule. Both rules are fixed to the first position in their respective categories. You cannot modify these rules, but you can disable them.

A descendant list contains the domains on the Block or Do Not Block lists of system subdomain users. From an ancestor domain, you cannot view the contents of descendant lists. If you do not want subdomain users to add domains to a Block or Do Not Block list:

• disable the descendant list rules, and

• enforce Security Intelligence using the access control policy inheritance settings

The system evaluates rules in the following order:

• Global Do-Not-Block List for DNS rule (if enabled)

• Descendant DNS Do-Not-Block Lists rule (if enabled)

• Rules with a Do Not Block action

• Global Block List for DNS rule (if enabled)

• Descendant DNS Block Lists rule (if enabled)

• Rules with an action other than Do Not Block

Usually, the system handles DN-based network traffic according to the first DNS rule where all the rule’s conditions match the traffic. If no DNS rules match the traffic, the system continues evaluating the traffic based on the associated access control policy's rules. DNS rule conditions can be simple or complex.