This section explains about DNS policy.

A DNS policy consists of rules which has match targets and actions. The match targets are the various attributes of a DNS request such as query type, query domain name, DNS transport protocol used, client IP originating the request, and so on. The rule actions can vary from security actions, such as closing the connection, to response actions, such as generating an empty response, and so on.

A DNS policy can be referenced by a Layer-4 DNS virtual service (L4 DNS VS), a virtual service which has an application profile type DNS. A single DNS virtual service can refer to a single DNS policy.

The DNS rule engine is executed for a DNS request only when a DNS request has been received and parsed successfully.

A DNS policy rule is said to be a hit for a DNS request if all the match targets of the rule evaluate to TRUE. If any match target of the rule does not evaluate to TRUE, the rule is not considered a hit and the subsequent rule of the current policy (or, if there are no more rules in current policy, then the first rule of the next policy is applicable) is evaluated.