When the DNS resolver service receives a DNS query, it first evaluates the query for the presence of the threat indicators. If found, the DNS resolver service classifies the query with the found threat indicators and associated threat type.
The query is then evaluated against the defined policies. A query is blocked and doesn't reach the namespaces evaluation if it matches a block policy or doesn't match an allow policy (if allow policies are defined).
If a block action hasn't been enforced, the DNS resolver service then proceeds to resolve the query by employing its defined namespaces.
When the server returns an answer, the CNAME record returned as part of the answer is evaluated by domain-based block, redirect, and monitor policies.