Open a policy
Go to Security > DNS Security > Policies and click the policy name.
The policy detail page has five tabs: Details, Filters, Services, Custom Rules, Schedule, and Assignments.
Note: If you have a read-only role, all controls are visible but disabled. You cannot save changes.
Details tab
The Details tab covers the foundational settings: policy name, description, and Block Response Method. These are also configured in Step 1 of the Create Policy wizard.
Policy name and description
Click the policy name to edit it inline. The description is optional but useful for documenting scope.
Block Response Method
Controls how the DNS resolver signals a blocked domain to the device.
NXDOMAIN — domain appears not to exist. Silent — no error page shown to users. Recommended for malware, phishing, and tracker blocks where you do not want to alert the user.
Sinkhole — device is directed to your block page. The user sees a message explaining the block. Recommended for productivity filters where visibility and user awareness are important.
NULL IP — returns 0.0.0.0. Not recommended.
Note: Sinkhole requires your block page to be configured. Go to Settings > Block Page to set it up. If no block page is configured, devices using Sinkhole may receive an empty response.
Per-filter overrides: This setting is the global default for all blocks in this policy. You can override it per filter category in the Options tab.
Click Save after making changes on this tab.
Filters tab
Filters are category-based blocklists. Enabling a category blocks all domains in that group for devices assigned to this policy.
Security filters
Filter | What it blocks | Notes |
Malware | Malware infrastructure, C2 servers, botnets | Supports Relaxed / Balanced / Strict mode |
Phishing | Phishing and credential-harvesting domains |
|
New Domains | Domains registered in the last 30 days | May block legitimate new sites |
Dynamic DNS | Dynamic DNS providers used to hide infrastructure |
|
Malware filter modes:
Relaxed — smaller blocklist, high-confidence matches only. Fewer false positives.
Balanced — standard coverage. Recommended for most deployments.
Strict — broader detection, higher false-positive rate. After enabling Strict, check Event Logs for legitimate domains being blocked and add Custom Allow rules as needed.
Content filters
Filter | What it blocks |
Adult Content | Explicit and adult-oriented domains |
Gambling | Online gambling and betting sites |
Drugs | Drug-related content and marketplaces |
Dating | Dating platforms and adult matchmaking |
Clickbait | Misleading, sensationalist, and low-quality content sites |
Productivity filters
Filter | What it blocks |
Social | Social media platforms |
Games | Online gaming and gaming distribution sites |
File Hosting | File sharing and cloud storage platforms |
Torrents & Piracy | BitTorrent sites and piracy indexes |
AI Tools | Consumer AI chat and generation tools |
Technical filters
Filter | What it blocks |
Ads & Trackers | Ad networks, tracking pixels, and analytics domains |
VPN & DNS Bypass | VPN services and tools that attempt to bypass DNS filtering |
URL Shorteners | URL shortening services (domains behind them are not inspectable) |
Crypto | Cryptocurrency exchanges and blockchain infrastructure |
Streaming Video | Streaming video platforms |
Toggle any filter on or off. For Malware, select the mode after enabling. Click Save after making changes.
Custom Rules override Filters. If a domain in a blocked category needs to remain accessible, add a Custom Allow rule in the Custom Rules tab.
Services tab
Services block specific apps by name. Each service covers all known domains and CDNs for that app — not just the primary domain.
Available app groups: Social, Audio, Video, Messaging, Productivity, Gaming.
Examples: Gmail, Instagram, LinkedIn, WhatsApp, Telegram, Slack, Zoom, YouTube, Netflix, Spotify, TikTok, Reddit, Discord, Steam, Dropbox, Google Drive.
Toggle each service you want to block. The domain count badge next to each service shows how many domains are in that bundle.
Click Save after making changes.
Note: Services block all domains in the app's bundle. To allow access to a specific domain within a blocked service (e.g., allow meet.google.com while YouTube is blocked), add a Custom Allow rule in the Custom Rules tab.
Custom Rules tab
Custom Rules are the highest-priority layer. They override Services and Filters.
The Custom Rules table shows all existing rules: pattern, pattern type, action (Allow / Block), and an optional note.
Add a rule
Click Add Rule.
In the Add Custom Rule panel that opens on the right:
Enter the Pattern (domain, IP, TLD, or regex).
Select the Pattern Type.
Set the Action: Allow or Block.
Optionally add a Note to document the rule's purpose.
Review the live preview below the pattern field — it shows exactly which domains the rule will match.
Click Save Rule.
Pattern types
Type | What it matches | When to use |
Domain + All Subdomains | The domain and all of its subdomains | Default for most rules. |
Exact Domain Only | Only the exact domain entered | When you need to allow or block one specific subdomain without affecting others |
Substring Wildcard | Any domain containing the specified string | Use cautiously — high false-positive risk. Shown with a warning. |
TLD Block | All domains under a top-level domain | Block an entire TLD, e.g., |
IP / CIDR | An IP address or IP range | For infrastructure-level blocks |
Regex (Advanced) | Any pattern matching the regex | Maximum 10 per policy — affects DNS resolver performance. Available under Advanced Options in the rule panel. |
Edit or delete a rule
To edit: click the edit icon on the rule's row. The rule panel opens pre-filled.
To delete: click the delete icon on the rule's row. Deletion is immediate.
Common rule patterns
Exception for a blocked Filter category: Allow payroll.acme.com (Domain + All Subdomains, Allow) while the File Hosting filter is active.
Exception within a blocked Service: Allow meet.google.com (Exact Domain Only, Allow) while the Google Meet service bundle is blocked.
Block a specific domain not in any Filter: Block unapproved-tool.io (Domain + All Subdomains, Block).
Schedule tab
By default, a policy filters DNS queries 24 hours a day, 7 days a week. The Schedule tab lets you restrict filtering to specific times.
Always Active — policy runs continuously with no time restrictions (default).
Custom Schedule — policy runs only during defined time windows.
To add a time window:
Select Custom Schedule.
Click + Add Time Window.
Select the days of the week.
Set the start and end time.
You can add multiple windows. Example: block social media Monday through Friday, 8am to 6pm, and allow it outside those hours.
Timezone: The schedule uses your organization's timezone. This is shown as read-only on the tab. To change it, go to organization settings.
No windows configured: If Custom Schedule is selected but no windows are added, the policy will not be enforced at any time. Add at least one window for the schedule to take effect.
Assignments tab
The Assignments tab shows all device groups receiving this policy.
To assign a device group:
Click Assign Groups.
Search for and select groups.
Click Assign groups.
To remove a device group: Click Remove on the group's row. The group reverts to its default DNS configuration (or to another assigned policy, if one exists).
Conflict badge: If a group appears in more than one DNS Security policy, the row shows a conflict badge with the name of the conflicting policy. A device group can only be actively filtered by one policy. Remove the group from the other policy to resolve.
Options tab
The Options tab lets you override the Block Response Method per filter category. This is useful when different filter types need different response behaviors within the same policy.
The default method for each filter type is pre-configured (malware and trackers use NXDOMAIN; productivity and content filters use Sinkhole). Change individual rows here if your organization needs different behavior for specific categories.
Response | What the device receives | When to use |
NXDOMAIN | Domain appears not to exist | Security blocks — silently stops the request |
Sinkhole | Device is redirected to the block page | User-facing blocks where visibility matters |
NULL IP | Returns 0.0.0.0 | Not recommended |
Save after making changes.
Deactivate, duplicate, or delete a policy
These actions are available from the overflow menu (⋯) in the policy header.
Deactivate — pauses filtering. Assigned device groups revert to default DNS until the policy is reactivated. Deactivation requires confirmation.
Duplicate — creates a copy of the policy (including all Custom Rules, Filters, Services, and Options) named "Copy of [original name]". You are taken to the duplicate's detail page to review before assigning.
Delete — permanently removes the policy. If the policy is assigned to device groups, a confirmation dialog shows how many devices will lose DNS filtering. Deletion cannot be undone.