Block: Blocks access to the domain lists, query types, source IPs, or response IPs that you add to the policy. For example, you might apply a policy that blocks access to a domain list of social media URLs. To block access to domains and redirect users to an alternate DN, add a redirect DN.
- Monitor: Lets you monitor access to domains without impacting the DNS
Monitor policy monitors domains based on the query and nameservers listed under the Authority section of the DNS response.
Policy evaluation of CNAME records
Domain-based block, block with redirect, and monitor policies evaluate CNAME records returned as part of the response chain. If at least one of the returned CNAME records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block, redirect, or monitor action is enforced.
Policy evaluation of Authoritative Nameservers
Block and monitor policies evaluate NS records returned in the Authority section of the query as part of the response chain. If at least one of the returned NS records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block or monitor action is enforced.
Order in which policies are applied
When a site has multiple policies associated with it, block with redirect is applied first, then block, then monitor policies.
For block and monitor policies, you can set time and date ranges for the policy to be applied. For example, you can set a range of 9:00 am to 17:00, Monday to Friday, if you want the policy to apply during regular business hours. If you don't select any times or days, the policy is always active. You must select at least one criterion in addition to a time a range to activate the policy.
You can also block or monitor specific query types or source IP ranges.
- If you are configuring a policy where multiple criteria are selected, the policy action is taken only when all of the conditions are met. For example, if you configure a block policy and you specify a Block List and Query Type, the policy action is only enacted on queries that are found in the block list and match the specified query type.
- If a DNS query matches all conditions for multiple policies with different redirect destinations, the query is answered with one of the redirected destinations in a random order, resulting in unexpected behavior. Configuring policies with overlapping conditions that can result in a query matching more than one policy is unsupported.
Creating a new policy
- In the top navigation bar, click and select Policies.
- To add a new policy, click , or select an existing policy and click Edit.
- Complete the following information:
- Enter a name and description for the policy.
- For Type, select whether to
Block or Monitor the
domains in the domain list.Note: If you have an existing Allow policy, you can edit the type to Block or Monitor the domains in the domain list.
- Use the Active toggle to select whether the policy is
Active or Inactive.Note: You must enter at least one site in the Sites field to activate the policy.
- For Sites, enter one or more sites or site group names to add
to the policy.
Tip: Type all sites and press Enter if you want the policy to apply to all of the sites.Attention: Some Policy features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Policy features function as expected.
- As you enter sites and site groups, they appear below the Sites field.
- To remove a site or site group from a policy, click the X beside the name.
- (Optional) For a block policy, for Redirect Target, enter the fully qualified domain name (for example, www.bluecat.com) to which blocked domains should be redirected.
- (Optional) For a block or monitor policy, select Set Active
Time if you want to apply the policy during limited date and time
ranges. You can set starting and ending times, combined with applicable days of the
week. You can set more than one date and time range. Note: If you do not specify an active time, the policy is active at all times.
- (Optional) Under Threat, select DGA or
Tunneling if you want block or monitor queries that meet
the threat type criteria. When you select a threat type from the drop-down list, the
threat type indicators appear. Note: If you select both DGA and Tunneling, the policy action will be applied to a query if a threat of either type is identified.
- (Optional) Under Domain List, enter the name of the domain
list(s) you want to block or monitor. For block policy, select one or both of the following:
Note: You must select at least one criteria to block domain lists.For monitor policy, select one or both of the following:
- Block domains based on query/answer: Blocks query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Block domains based on authoritative nameservers: Blocks query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
Note: You must select at least one criteria to monitor domain lists.
- Monitor domains based on query/answer: Monitors query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Monitor domains based on authoritative nameservers: Monitors query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
- (Optional) For a block or monitor policy, under Exception
List, add any domain lists that are exceptions to the policy rule,
if applicable.Note: If you define a Exception List, you must also define a parent Block List.*
- (Optional) This option allows you to block or monitor DNS queries based on the IP
address in the A or AAAA record of the response. Under Response IP
Note: If you define a Exception List, you must also define a parent Block List.*
- In the Block List field, enter the IP lists that you want to block.
- In the Exception List field, enter the IP lists that are exceptions to the policy rule, if applicable.
- (Optional) Under Query Type, begin typing and select from the list of query types to block or monitor.
- (Optional) Under Source IP:
- For block and monitor policies, select whether to include or exclude source IP addresses.
- Enter individual IP addresses or a CIDR range in the standard 220.127.116.11/xx format or shorthand CIDR 123.x/xx format, to block or monitor.
- Press Enter.
- Click Save or Save and Apply.
Active policies are applied immediately. Inactive policies are saved but not applied until activated.
- To delete a policy, ensure that it's inactive, then select it and click
Delete.Note: Sites, site groups, or domain lists can be deleted even if they're included in a policy. If this happens, when you open a policy for editing, you can't save the policy until you remove the deleted items.
- Under Threat, set the Type to Tunneling.
- Under Domain Lists, set the Block List to '*' to block all Tunneling traffic.
- Under Domain Lists, set the Exception List to the legitimate domains that shouldn't be blocked.