Use Response Policies to configure DNS resolvers to respond to DNS queries for a particular zone or host with a user configured response.
- If you are a corporate user and want to prevent employees from being connected to any harmful website, you can set up the Response Policies and block these harmful websites so that they do not return the query response or the employees can simply be redirected to an appropriate website.
- If you need to follow a government regulation that mandates certain DNS blocking, the Response Policies can be used to implement this requirement.
- Blacklist—list of domains that are blocked on the network. Blacklisting only allows through objects that aren't explicitly included in the list. Objects matching the Blacklist return an NXDOMAIN (non-existent domain) response.
- Blackhole—discards incoming or outgoing traffic to domains on the Blackhole list silently without informing the source. Objects matching the Blackhole list return a NOERROR response with no answers.
- Redirect—directs users attempting to connect to a non-existent domain (NXDOMAIN) to a designated portal page.
- Whitelist—list of trusted domains that are excluded from blocking. Objects matching the Whitelist are excluded from further processing.
You can configure these types of Response Policies at the DNS configuration level. However, for Response Policies to be fully effective, users should be restricted to the DNS server for resolution. To prevent users from bypassing the DNS server, restrict DNS access on the firewall to ONLY your DNS servers. This will prevent users from directly accessing DNS servers on the Internet.