Common DNS policies
The following policies are commonly used to secure DNS traffic.
Refer to the DNS policies page for a comprehensive list of other selectors, operators, and actions.
Block content categories
Block content categories which go against your organization’s acceptable use policy.
Selector | Operator | Value | Action |
---|---|---|---|
Content categories | in | Adult Themes, Gambling | Block |
Block applications
Block content categories which go against your organization’s acceptable use policy.
Selector | Operator | Value | Action |
---|---|---|---|
Application | in | Netflix | Block |
Check user identity
Configure access on a per user or group basis by adding identity-based conditions to your policies.
Selector | Operator | Value | Action |
---|---|---|---|
Application | in | Salesforce | Block |
User Group Names | in | Contractors |
Restrict access to specific groups
Filter DNS queries to allow only specific users access.
The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the order of precedence.
1. Allow a group
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Content Categories | in | Social Networks | And | Allow |
User Group Names | in | marketing-team |
2. Block all other users
Selector | Operator | Value | Action |
---|---|---|---|
Content Categories | in | Social Networks | Block |
Block sites by top-level domain
Block sites with a specific top-level domain (TLD).
Selector | Operator | Value | Action |
---|---|---|---|
Domain | matches regex | [.]fail | Block |
Control IP version
Enterprise users can pair these policies with an egress policy to control which IP address is used to egress to the origin server.
Force IPv4
Force users to connect with IPv4.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Query Record Type | is | AAAA | And | Block |
Domain | is | example.com |
Force IPv6
Force users to connect with IPv6.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Query Record Type | is | A | And | Block |
Domain | is | example.com |