Enable DNS Filtering to Identify URLs During Domain Lookup

DNS filtering is enabled by default in new access control policies. However, additional configurations may be required in order for this setting to take effect.

Before you begin

  • URL filtering using category and reputation must be licensed, enabled, and configured.

    (DNS filtering does not use the following settings in the URLs tab: URL groups, URL objects, URL lists and feeds, and URLs entered into the "Enter URL" text box.)

  • See limitations at DNS Filtering Limitations.

Procedure

Step 1

In your access control policy's advanced settings, select Enable reputation enforcement on DNS traffic.

Step 2

In the same policy, for each access control rule that has URL category and reputation blocking configured:

  • Application conditions—If the application condition is anything other than any (or empty), add DNS to that list. Other DNS-related options are not relevant for this purpose.

  • Port condition—If the port/protocol condition is anything other than any (or empty), add DNS_over_TCP and DNS_over_UDP.

Step 3

Save your changes.

What to do next

If you are done making changes: Deploy Configuration Changes.