Policies - BlueCat DNS Edge - 2020.12

DNS Edge User Guide

prodname
BlueCat DNS Edge
version_custom
2020.12
Policies let you set site-specific access rules for domain lists, query types, and source IPs. There are two types of policies:
  • Block: Blocks access to the domain lists that you add to the policy. For example, you might apply a policy that blocks access to a domain list of social media URLs. To block access to domains and redirect users to an alternate DN, add a redirect DN.

    Block policy domain lists block domains based on the query and nameservers listed under the Authority section of the DNS response.

    You can add domain lists as exceptions to handle cases where a domain has erroneously been added to a domain list of blocked addresses. This lets you block a domain while still allowing access to a specific subdomain.

  • Monitor: Lets you monitor access to domains without impacting the DNS response.

    Monitor policy monitors domains based on the query and nameservers listed under the Authority section of the DNS response.

Policy evaluation of CNAME records

Domain-based block, block with redirect, and monitor policies evaluate CNAME records returned as part of the response chain. If at least one of the returned CNAME records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block, redirect, or monitor action is enforced.

Policy evaluation of Authoritative Nameservers

Block and monitor policies evaluate NS records returned in the Authority section of the query as part of the response chain. If at least one of the returned NS records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block or monitor action is enforced.

Order in which policies are applied

When a site has multiple policies associated with it, allow policies are applied first. If there are any allow policies, no other policies are evaluated. If there is no allow policy, then block with redirect is applied, then block, then monitor.

For block and monitor policies, you can set time and date ranges for the policy to be applied. For example, you can set a range of 9:00 am to 17:00, Monday to Friday, if you want the policy to apply during regular business hours. If you don't select any times or days, the policy is always active. You must select at least one criterion in addition to a time a range to activate the policy.

You can also block, monitor, or allow specific query types or source IP ranges.

Attention: If you are configuring a policy where multiple criteria are selected, the policy action is taken only when all of the conditions are met. For example, if you configure a block policy and you specify a Block List and Query Type, the policy action is only enacted on queries that are found in the block list and match the specified query type.
Note: You can also create policies using the API. For more information, refer to Policy management APIs.

Creating a new policy

  1. In the top navigation bar, click and select Policies.
  2. To add a new policy, click , or select an existing policy and click Edit.
  3. Complete the following information:
    • Enter a name and description for the policy.
    • For Type, select whether to Block or Monitor the domains in the domain list.
      Note: If you have an existing Allow policy, you can edit the type to Block or Monitor the domains in the domain list.
    • Use the Active toggle to select whether the policy is Active or Inactive.
      Note: You must enter at least one site in the Sites field to activate the policy.
  4. For Sites, enter one or more sites or site group names to add to the policy.
    • As you enter sites and site groups, they appear below the Sites field.
    • To remove a site or site group from a policy, click the X beside the name.
    Tip: Type all sites and press Enter if you want the policy to apply to all of the sites.
    Attention: Some Policy features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Policy features function as expected.
  5. (Optional) For a block policy, for Redirect Target, enter the fully qualified domain name (for example, www.bluecat.com) to which blocked domains should be redirected.
  6. (Optional) For a block or monitor policy, select Set Active Time if you want to apply the policy during limited date and time ranges. You can set starting and ending times, combined with applicable days of the week. You can set more than one date and time range.
    Note: If you do not specify an active time, the policy is active at all times.
  7. (Optional) Under Threat, select DGA or Tunneling if you want block, monitor, or allow queries that meet the threat type criteria. When you select a threat type from the drop-down list, the threat type indicators appear.
    Note: If you select both DGA and Tunneling, the policy action will be applied to a query if a threat of either type is identified.
  8. (Optional) Under Domain List, enter the name of the domain list(s) you want to block, monitor, or allow.
    For block policy, select one or both of the following:
    • Block domains based on query/answer: Blocks query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
    • Block domains based on authoritative nameservers: Blocks query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
    Note: You must select at least one criteria to block domain lists.
    For monitor policy, select one or both of the following:
    • Monitor domains based on query/answer: Monitors query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
    • Monitor domains based on authoritative nameservers: Monitors query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
    Note: You must select at least one criteria to monitor domain lists.
  9. (Optional) For a block or monitor policy, under Exception List, add any domain lists that are exceptions to the policy rule, if applicable.
    Note: If you define a Exception List, you must also define a parent Block List.*
  10. (Optional) Under Query Type, begin typing and select from the list of query types to block or monitor.
  11. (Optional) Under Source IP:
    • For block and monitor policies, select whether to include or exclude source IP addresses.
    • Enter individual IP addresses or a CIDR range in the standard 123.123.100.0/xx format or shorthand CIDR 123.x/xx format, to block or monitor.
    • Press Enter.
    The address or range appears below the Source IPs field. Enter additional addresses or ranges, if needed. To remove a domain from the list, click the X beside its name.
  12. Click Save or Save and Apply.

    Active policies are applied immediately. Inactive policies are saved but not applied until activated.

  13. To delete a policy, ensure that it's inactive, then select it and click Delete.
    Note: Sites, site groups, or domain lists can be deleted even if they're included in a policy. If this happens, when you open a policy for editing, you can't save the policy until you remove the deleted items.

Policy Tips

* If you are defining an Exception List, you must also define a parent Block List under Domain List. For example, if you block all queries flagged as Tunneling but allow certain domains that are known to be legitimate domains as exceptions, you would configure the following settings:
  • Under Threat, set the Type to Tunneling.
  • Under Domain Lists, set the Block List to '*' to block all Tunneling traffic.
  • Under Domain Lists, set the Exception List to the legitimate domains that shouldn't be blocked.