DNS Policy Components
A DNS policy allows you to whitelist or blacklist domain name-based connections. The following list describes the configurations you can change after creating a DNS policy.
Name and Description
Each DNS policy must have a unique name. A description is optional.
Rules provide a granular method of handling network traffic based on the domain name. Rules in a DNS policy are numbered, starting at 1. The ASA FirePOWER module matches traffic to DNS rules in top-down order by ascending rule number.
When you create a DNS policy, the ASA FirePOWER module populates it with a default Global DNS Whitelist rule, and a default Global DNS Blacklist rule. Each rule is fixed to the first position in their respective categories. You cannot modify these rules, but you can disable them. The module evaluates rules in the following order:
Global DNS Whitelist rule (if enabled)
Global DNS Blacklist rule (if enabled)
blacklist and monitor rules
Usually, the module handles domain name-based network traffic according to the first DNS rule where all the rule’s conditions match the traffic. If no DNS rules match the traffic, the module continues evaluating the traffic based on the associated access control policy's rules. DNS rule conditions can be simple or complex.
Editing a DNS Policy
Only one person should edit a DNS policy at a time, using a single browser window. If multiple users attempt to save the same policy, only the first set of saved changes are retained.
To protect the privacy of your session, after thirty minutes of inactivity on the policy editor, a warning appears. After sixty minutes, the module discards your changes.
To edit a DNS policy:
Select> > > .
Edit your DNS policy:
Click Store ASA FirePOWER Changes.
What to do next
Deploy configuration changes; see Deploying Configuration Changes.