DNS Rule Actions

Every DNS rule has an action that determines the following for matching traffic:

  • handling—foremost, the rule action governs whether the system will block, not block, or monitor traffic that matches the rule’s conditions, based on a Block or Do Not Block list

  • logging—the rule action determines when and how you can log details about matching traffic

Do Not Block Action

The Do Not Block action allows traffic to pass to the next phase of inspection, which is access control rules.

The system does not log Do Not Block list matches. Logging of these connections depends on their eventual disposition.

Monitor Action

The Monitor action is designed to force connection logging; matching traffic is neither immediately allowed nor blocked. Rather, traffic is matched against additional rules to determine whether to permit or deny it. The first non-Monitor DNS rule matched determines whether the system blocks the traffic. If there are no additional matching rules, the traffic is subject to access control evaluation.

For connections monitored by a DNS policy, the system logs end-of-connection Security Intelligence and connection events to the management center database.

Block Actions

These actions block traffic without further inspection of any kind:

  • The Drop action drops the traffic.

  • The Domain Not Found action returns a non-existent internet domain response to the DNS query, which prevents the client from resolving the DNS request.

  • The Sinkhole action returns a sinkhole object's IPv4 or IPv6 address in response to the DNS query (A and AAAA records only). The sinkhole server can log, or log and block, follow-on connections to the IP address. If you configure a Sinkhole action, you must also configure a sinkhole object.

For a connection blocked based on the Drop or Domain Not Found actions, the system logs beginning-of-connection Security Intelligence and connection events. Because blocked traffic is immediately denied without further inspection, there is no unique end of connection to log.

For a connection blocked based on the Sinkhole action, logging depends on the sinkhole object configuration. If you configure your sinkhole object to only log sinkhole connections, the system logs end-of-connection connection events for the follow-on connection. If you configure your sinkhole object to log and block sinkhole connections, the system logs beginning-of-connection connection events for the follow-on connection, then blocks that connection.