Use Response Policies to configure DNS resolvers to respond to DNS queries for a particular zone or host with a user-configured response.
Response Policies are particularly useful when users query for malicious, illegal, or
undesirable content. You can configure the DNS server to block or redirect the request to prevent
an infection or to stop abuse. Response Policies allow you to leverage the DNS service to add a
layer of protection or simply prevent unwanted access. For example:
- If you are a corporate user and you want to prevent employees from being connected to certain harmful websites, you can set up a Response Policy to block these websites so that they don't return the query response. Or, you can set up the policy so that employees are simply redirected to an appropriate website.
- If you need to follow a government regulation that mandates certain DNS blocking, you can use Response Policies to implement this requirement.
There are four different types of Response Policies that you can configure based on your
requirements:
- Blocklist—list of domains that are blocked on the network. Blocklisting only allows through objects that aren't explicitly included in the list. Objects matching the blocklist return an NXDOMAIN (non-existent domain) response.
- Black hole—discards incoming or outgoing traffic to domains on the black hole list silently without informing the source. Objects matching the Black hole list return a NOERROR response with no answers.
- Redirect—directs users attempting to connect to a non-existent domain (NXDomain) to a designated portal page.
- Allowlist—list of trusted domains that are excluded from blocking. Objects matching
the allowlist are excluded from further processing.Note: The Allowlist response policy takes no action against matching objects; it only logs that a domain matching the blocklist was found.
You can configure these types of Response Policies at the DNS configuration level. However, for Response Policies to be fully effective, users should be restricted to the DNS server for resolution. To prevent users from bypassing the DNS server, restrict DNS access on the firewall to ONLY your DNS servers. This will prevent users from directly accessing DNS servers on the Internet.