When the service point receives a DNS query, it first evaluates the query for the presence of the threat indicators. If found, the service point classifies the query with the found threat indicators and associated threat type.
The query is then evaluated against the defined policies. A query is blocked and doesn't reach the namespaces evaluation if it matches a block policy or doesn't match an allow policy (if allow policies are defined).
If a block action hasn't been enforced, the service point then proceeds to resolve the query by employing its defined namespaces.
When the server returns an answer, the CNAME record returned as part of the answer is evaluated by domain-based block, redirect, and monitor policies.