What can a DNS firewall do?

AA-00515

Firewalls work by applying a set of rules to a traffic flow, where each rule consists of a trigger and an action. Triggers determine which messages within the traffic flow will be handled specially, and actions determine what that special handling will be. For a DNS firewall, the traffic flow to be controlled consists of responses sent by a recursive DNS server to its end user clients. Some true responses are not safe for all clients, and so the policy rules in a DNS firewall allow some responses to be intercepted and replaced with safer content.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)