- Trust: Lets you trust certain domains that might be blocked and allow
them to be resolved. For example, you can create a trust policy that allows
domains that might have been incorrectly blocked by policies using threat
detection. BlueCat recommends configuring a global trust policy that includes
internal domains that can be characterized as tunneling or DGA. For more
information on configuring a global trust policy, refer to Configuring a global trust policy.
Trust policies can be associated to one or more sites, and can include or exclude source IP addresses.
Attention:- Trust policies override block, redirect, and monitor policies.
- Trust policies only apply to sites running DRS v3.8.0 and greater.
- Query logs with trust policy actions are not forwarded to the SIEM streaming API.
- Block: Blocks access to the domain lists, query types, source IPs, or response IPs that you add to the policy. For example, you might apply a policy that blocks access to a domain list of social media URLs. To block access to domains and redirect users to an alternate DN, add a redirect DN.
- Monitor: Lets you monitor access to domains without impacting the DNS
response.
Monitor policy monitors domains based on the query and nameservers listed under the Authority section of the DNS response.
Policy evaluation of CNAME records
Domain-based block, block with redirect, and monitor policies evaluate CNAME records returned as part of the response chain. If at least one of the returned CNAME records matches the domains associated with the policy, and all of the policy's other criteria are met, then the trust, block, redirect, or monitor action is enforced.
Policy evaluation of Authoritative Nameservers
Block and monitor policies evaluate NS records returned in the Authority section of the query as part of the response chain. If at least one of the returned NS records matches the domains associated with the policy, and all of the policy's other criteria are met, then the trust, block, redirect, or monitor action is enforced.
Order in which policies are applied
When a site has multiple policies associated with it, Trust is applied first, then Block with Redirect, then Block, then Monitor policies.
For block and monitor policies, you can set time and date ranges for the policy to be applied. For example, you can set a range of 9:00 am to 17:00, Monday to Friday, if you want the policy to apply during regular business hours. If you don't select any times or days, the policy is always active. You must select at least one criterion in addition to a time a range to activate the policy.
You can also block, monitor, or trust specific query types or source IP ranges.
- If you are configuring a policy where multiple criteria are selected, the policy action is taken only when all of the conditions are met. For example, if you configure a block policy and you specify a Block List and Query Type, the policy action is only enacted on queries that are found in the block list and match the specified query type.
- If a DNS query matches all conditions for multiple policies with different redirect destinations, the query is answered with one of the redirected destinations in a random order, resulting in unexpected behavior. Configuring policies with overlapping conditions that can result in a query matching more than one policy is unsupported.
Creating a new policy
- In the top navigation bar, click and select Policies.
- To add a new policy, click New, or select an existing policy and click Edit.
- Complete the following information:
- Enter a name and description for the policy.
- For Type, select whether to
Block, Monitor, or
Trust the domains in the domain list.Note: If you have an existing Allow policy, you can edit the type to Block, Monitor, or Trust the domains in the domain list.
- Use the Active toggle to select whether the policy is
Active or Inactive.Note: You must enter at least one site in the Sites field to activate the policy.
- For Sites, enter one or more sites or site group names to add
to the policy.
- As you enter sites and site groups, they appear below the Sites field.
- To remove a site or site group from a policy, click the X beside the name.
Tip: Type all sites and press Enter if you want the policy to apply to all of the sites.Attention: Some Policy features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Policy features function as expected. - (Optional) For a block policy, for Redirect Target, enter the fully qualified domain name (for example, www.bluecat.com) to which blocked domains should be redirected.
- (Optional) For a block or monitor policy, select Set Active
Time if you want to apply the policy during limited date and time
ranges. You can set starting and ending times, combined with applicable days of the
week. You can set more than one date and time range. Note: If you do not specify an active time, the policy is active at all times.
- (Optional) Under Threat, select the checkbox next to
DGA or Tunneling to block or
monitor queries that meet the threat type
criteria.Note: If you select both DGA and Tunneling, the policy action will be applied to a query if a threat of either type is identified.
- (Optional) Under Domain List, enter the name of the domain
list(s) you want to block or monitor. For block policy, select one or both of the following:
- Block domains based on query/answer: Blocks query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Block domains based on authoritative nameservers: Blocks query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
Note: You must select at least one criteria to block domain lists.For monitor policy, select one or both of the following:- Monitor domains based on query/answer: Monitors query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Monitor domains based on authoritative nameservers: Monitors query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
Note: You must select at least one criteria to monitor domain lists.For trust policy, select one or both of the following:- Trust domains based on query/answer: Trusts query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Trust domains based on authoritative nameservers: Trusts query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
Note: You must select at least one criteria to trust domain lists. - (Optional) For a block or monitor policy, under Exception
List, add any domain lists that are exceptions to the policy rule,
if applicable.Note: If you define a Exception List, you must also define a parent Block List.*
- (Optional) This option allows you to block or monitor DNS queries based on the IP
address in the A or AAAA record of the response. Under Response IP
Lists:
- In the Block List field, enter the IP lists that you want to block.
- In the Exception List field, enter the IP lists that are exceptions to the policy rule, if applicable.
Note: If you define a Exception List, you must also define a parent Block List.* - (Optional) Under Query Type, begin typing and select from the list of query types to block or monitor.
- (Optional) Under Source IP:
- For block, monitor, and trust policies, select whether to include or exclude source IP addresses.
- Enter individual IP addresses or a CIDR range in the standard 123.123.100.0/xx format or shorthand CIDR 123.x/xx format, to block or monitor.
- Press Enter.
- Click Save or Save and Apply.
Active policies are applied immediately. Inactive policies are saved but not applied until activated.
- To delete a policy, ensure that it's inactive, then select it and click
Delete.Note: Sites, site groups, or domain lists can be deleted even if they're included in a policy. If this happens, when you open a policy for editing, you can't save the policy until you remove the deleted items.
Policy Tips
- Under Threat, set the Type to Tunneling.
- Under Domain Lists, set the Block List to
'
*
' to block all Tunneling traffic. - Under Domain Lists, set the Exception List to the legitimate domains that shouldn't be blocked.
Configuring a global trust policy
At times, internal Active Directory domains or highly dynamic internal zones can be characterized as tunneling or DGA threats. When configuring policies, BlueCat recommends configuring a global trust policy to override any threat detection or other policy enforcement.
- Create a domain list that contains the list of internal or external trusted domains. For more information on creating the domain list, refer to Domain lists.
- Create a trust policy that contains the domain list with the trusted domains and apply the policy to all sites.