Chapter 6: Definition Reference
267
restrict dnsThis definition restricts DNS lookups and is useful in installations where access to DNS resolution is
limited or problematic. The definition has no name because it is not directly referenced by any rules. It
is global to policy evaluation and intended to prevent any DNS lookups caused by policy. It does not
suppress DNS lookups that might be required to make upstream connections.
If the domain specified in a URL matches any of the domain patterns specified in domain_list, no
DNS lookup is done for any category=, url=, url.address=, url.domain=, or url.host= test.
The special domain "." matches all domains, and therefore can be used to restrict all policy-based
DNS lookups.
If a lookup is required to evaluate the trigger, the trigger evaluates to false.
A restrict dns definition may appear multiple times in policy. The compiler attempts to coalesce
these definitions, and may emit various errors or warnings while coalescing if the definition is
contradictory or redundant.
Syntax
restrict dns
restricted_domain_list
except
exempted_domain_list
end
where
•restricted_domain_list—Domains for which DNS lookup is restricted.
•exempted_domain_list—Domains exempt from the DNS restriction. Policy is able to use DNS
lookups when evaluating policy related to these domains.
Layer and Transaction Notes
Applies to all layers and transactions.
Example
The following definition restricts DNS resolution to all but mydomain.com:
restrict dns
. ; meaning “all”
except
mydomain.com
end
See Also
• Conditions: category=, url=, server_url=
• Definitions: restrict rdns