When the DNS resolver service (DRS) receives a DNS query, it first evaluates the query using machine learning and mathematical algorithms to detect potential threat indicators. If any are found, the DRS classifies the query with the identified threat indicators and associated threat types.
Next, the query is assessed against the defined policies. If the query matches a block policy, the query is immediately blocked and is not handed off to namespace chains for resolution. If the query matches an allow policy, it is exempted from block policy evaluation and is directly passed to the namespaces for resolution.
DRS then resolves the query by utilizing the configured namespaces. By default, DRS uses the first matching namespace defined within the site. If the first matched namespace cannot resolve the query or returns a DNS response that does not fully satisfy the query, DRS proceeds to the next matching namespace within the site. Namespace matching criteria can include parameters such as the client's source IP address or the domain name in the query.
Once a server returns an answer, the response is evaluated against the defined policies to check for a match. If the response matches a block policy, the query is blocked and a Non-Existent (NXDOMAIN) response is returned to the client.