DNS Rule Order Evaluation
Rules in a DNS policy are numbered, starting at 1. The system matches traffic to DNS rules in top-down order by ascending rule number. In most cases, the system handles network traffic according to the first DNS rule where all the rule’s conditions match the traffic:
-
For Monitor rules, the system logs the traffic, then continues evaluating traffic against lower-priority DNS Block list rules.
-
For non-Monitor rules, the system does not continue to evaluate traffic against additional, lower-priority DNS rules after that traffic matches a rule.
Note the following regarding rule order:
-
The Global Do-Not-Block List for DNS is always first, and takes precedence over all other rules.
-
The Do-Not-Block List section precedes the Block List section; Do-Not-Block List rules always take precedence over other rules.
-
The Global Block List for DNS is always first in the Block List section, and takes precedence over all other Monitor and Block list rules.
-
The Block List section contains Monitor and Block list rules.
-
When you first create a DNS rule, the system positions it last in the Do-Not-Block List section if you assign a Do Not Block action, or last in the Block List section if you assign any other action.
You can drag and drop rules to reorder them.