Block: Blocks access to the domain lists that you add to the policy. For example, you might apply a policy that blocks access to a domain list of social media URLs. To block access to domains and redirect users to an alternate DN, add a redirect DN.
Block policy domain lists block domains based on the query and nameservers listed under the Authority section of the DNS response.
You can add domain lists as exceptions to handle cases where a domain has erroneously been added to a domain list of blocked addresses. This lets you block a domain while still allowing access to a specific subdomain.
- Monitor: Lets you monitor access to domains without impacting the DNS
Monitor policy monitors domains based on the query and nameservers listed under the Authority section of the DNS response.
Policy evaluation of CNAME records
Domain-based block, block with redirect, and monitor policies evaluate CNAME records returned as part of the response chain. If at least one of the returned CNAME records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block, redirect, or monitor action is enforced.
Policy evaluation of Authoritative Nameservers
Block and monitor policies evaluate NS records returned in the Authority section of the query as part of the response chain. If at least one of the returned NS records matches the domains associated with the policy, and all of the policy's other criteria are met, then the block or monitor action is enforced.
Order in which policies are applied
When a site has multiple policies associated with it, allow policies are applied first. If there are any allow policies, no other policies are evaluated. If there is no allow policy, then block with redirect is applied, then block, then monitor.
For block and monitor policies, you can set time and date ranges for the policy to be applied. For example, you can set a range of 9:00 am to 17:00, Monday to Friday, if you want the policy to apply during regular business hours. If you don't select any times or days, the policy is always active. You must select at least one criterion in addition to a time a range to activate the policy.
You can also block, monitor, or allow specific query types or source IP ranges.
Creating a new policy
- In the top navigation bar, click and select Policies.
- To add a new policy, click , or select an existing policy and click Edit.
- Complete the following information:
- Enter a name and description for the policy.
- For Type, select whether to
domains in the domain list.Note: If you have an existing Allow policy, you can edit the type to Block or Monitor the domains in the domain list.
- Use the Active toggle to select whether the policy is
Active or Inactive.Note: You must enter at least one site in the Sites field to activate the policy.
- For Sites, enter one or more sites or site group names to add
to the policy.
Tip: Type all sites and press Enter if you want the policy to apply to all of the sites.Attention: Some Policy features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Policy features function as expected.
- As you enter sites and site groups, they appear below the Sites field.
- To remove a site or site group from a policy, click the X beside the name.
- (Optional) For a block policy, for Redirect Target, enter the fully qualified domain name (for example, www.bluecat.com) to which blocked domains should be redirected.
- (Optional) For a block or monitor policy, select Set Active
Time if you want to apply the policy during limited date and time
ranges. You can set starting and ending times, combined with applicable days of the
week. You can set more than one date and time range. Note: If you do not specify an active time, the policy is active at all times.
- (Optional) Under Threat, select DGA or
Tunneling if you want block, monitor, or allow queries
that meet the threat type criteria. When you select a threat type from the drop-down
list, the threat type indicators appear. Note: If you select both DGA and Tunneling, the policy action will be applied to a query if a threat of either type is identified.
- (Optional) Under Domain List, enter the name of the domain
list(s) you want to block, monitor, or allow. For block policy, select one or both of the following:
Note: You must select at least one criteria to block domain lists.For monitor policy, select one or both of the following:
- Block domains based on query/answer: Blocks query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Block domains based on authoritative nameservers: Blocks query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
Note: You must select at least one criteria to monitor domain lists.
- Monitor domains based on query/answer: Monitors query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
- Monitor domains based on authoritative nameservers: Monitors query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
- (Optional) For a block or monitor policy, under Exception
List, add any domain lists that are exceptions to the policy rule,
if applicable.Note: If you define a Exception List, you must also define a parent Block List.*
- (Optional) Under Query Type, begin typing and select from the list of query types to block or monitor.
- (Optional) Under Source IP:
- For block and monitor policies, select whether to include or exclude source IP addresses.
- Enter individual IP addresses or a CIDR range in the standard 188.8.131.52/xx format or shorthand CIDR 123.x/xx format, to block or monitor.
- Press Enter.
- Click Save or Save and Apply.
Active policies are applied immediately. Inactive policies are saved but not applied until activated.
- To delete a policy, ensure that it's inactive, then select it and click
Delete.Note: Sites, site groups, or domain lists can be deleted even if they're included in a policy. If this happens, when you open a policy for editing, you can't save the policy until you remove the deleted items.
- Under Threat, set the Type to Tunneling.
- Under Domain Lists, set the Block List to '*' to block all Tunneling traffic.
- Under Domain Lists, set the Exception List to the legitimate domains that shouldn't be blocked.