You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/dns/dns-security-policy.md
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,8 @@ A security policy can only apply to VNets in the same region. You can create any
41
41
42
42
43
43
44
-
Keep in mind that >the policy:VNet relationship is 1:N. When you associate a VNet with a security policy (via virtual network links), that VNet can't then be associated with another security policy. A single DNS security policy can be associated with multiple VNets in the same region.
44
+
> [!IMPORTANT]
45
+
> The **policy:VNet** relationship is **1:N**. When you associate a VNet with a security policy (via virtual network links), that VNet can't then be associated with another security policy. A single DNS security policy can be associated with multiple VNets in the same region.
45
46
46
47
## DNS traffic rules
47
48
@@ -53,7 +54,7 @@ To display DNS traffic rules in the Azure portal, select a DNS security policy a
53
54
54
55
- Rules are processed in order of **Priority** in the range 100-65000. Lower numbers are higher priority.
55
56
* If a domain name is blocked in a lower priority rule, and the same domain is allowed in a higher priority rule, the domain name is allowed.
56
-
*Rule priority takes precedence over the number of labels in a domain name. If contoso.com is allowed in a higher priority rule, then sub.contoso.com is allowed, even if sub.contoso.com is blocked in a lower priority rule.
57
+
*Rules follow the DNS hierarchy. If contoso.com is allowed in a higher priority rule, then sub.contoso.com is allowed, even if sub.contoso.com is blocked in a lower priority rule.
57
58
- You can dynamically add and delete rules from the list. Be sure to **Save** after editing rules in the portal.
58
59
- During preview, up to 10 traffic rules are allowed per security policy. This limit will be increased to 100 for general availability.
59
60
- Multiple **DNS Domain Lists** are allowed per rule. You must have at least one DNS domain list.
@@ -81,6 +82,9 @@ You can associate a domain list to multiple DNS traffic rules in different secur
81
82
82
83
83
84
85
+
> [!IMPORTANT]
86
+
> Be careful when creating wildcard domain lists. For example, if you create a domain list that applies to all domains (by entering `.` as the DNS domain) and then configure a DNS traffic rule to block queries to this domain list, you can prevent required services from working.
87
+
84
88
When viewing a DNS domain list in the Azure portal, you can also select **Settings** > **Associated DNS Traffic Rules** to see a list of all traffic rules and the associated DNS security policies that reference the DNS domain list.
85
89
86
90
0 commit comments