Use Response Policies to configure DNS resolvers to respond to DNS queries for a particular zone or host with a user configured response.
- If you are a corporate user and want to prevent employees from being connected to any harmful website, you can set up the Response Policies and block these harmful websites so that they do not return the query response or the employees can simply be redirected to an appropriate website.
- If you need to follow a government regulation that mandates certain DNS blocking, the Response Policies can be used to implement this requirement.
- Blacklist—list of domains that are blocked on the network. Blacklisting only allows through objects that are not explicitly included in the list. Objects matching the Blacklist return a Non-existing domain result.
- Blackhole—discards incoming or outgoing traffic to domains on the Blackhole list silently without informing the source. Objects matching the Blackhole list return a NOERROR result with no answers.
- Whitelist—trusted domains excluded from blocking.
Objects matching the Whitelist are excluded from further processing.Note: The Whitelist response policy takes no action against matching objects; it only logs that a domain matching the block list was found.
These types of Response Policies can be configured in the DNS configuration level. However, for Response Policies to be fully effective, users should be restricted to the DNS server for resolution. To prevent users from bypassing the DNS server, restrict DNS access on the firewall to ONLY your DNS servers. This will prevent users from directly accessing DNS servers on the Internet.