About Response Policies - BlueCat Address Manager - 8.2.0

Address Manager Administration Guide

BlueCat Address Manager

Use Response Policies to configure DNS resolvers to respond to DNS queries for a particular zone or host with a user configured response.

Response Policies are particularly useful when users query for malicious, illegal or undesirable content as the DNS server can be configured to block or redirect the request to prevent an infection or stop abuse. Response Policies allow you to leverage the DNS service to add a layer of protection or simply prevent unwanted access. For example:
  • If you are a corporate user and want to prevent employees from being connected to any harmful website, you can set up the Response Policies and block these harmful websites so that they do not return the query response or the employees can simply be redirected to an appropriate website.
  • If you need to follow a government regulation that mandates certain DNS blocking, the Response Policies can be used to implement this requirement.
There are three different types of Response Policies that can be set based on user requirements:
  • Blacklist—list of domains that are blocked on the network. Blacklisting only allows through objects that are not explicitly included in the list. Objects matching the Blacklist return a Non-existing domain result.
  • Blackhole—discards incoming or outgoing traffic to domains on the Blackhole list silently without informing the source. Objects matching the Blackhole list return a NOERROR result with no answers.
  • Whitelist—trusted domains excluded from blocking. Objects matching the Whitelist are excluded from further processing.
    Note: The Whitelist response policy takes no action against matching objects; it only logs that a domain matching the block list was found.

These types of Response Policies can be configured in the DNS configuration level. However, for Response Policies to be fully effective, users should be restricted to the DNS server for resolution. To prevent users from bypassing the DNS server, restrict DNS access on the firewall to ONLY your DNS servers. This will prevent users from directly accessing DNS servers on the Internet.