From 104f8c7f3e4991bdec0b90aeaadb8cd73cfcd09a Mon Sep 17 00:00:00 2001 From: Rex Scaria Date: Mon, 17 Mar 2025 14:14:15 -0400 Subject: [PATCH 1/9] add gateway dns request context categories selector doc --- .../gateway/dns-policies/common-policies.mdx | 9 ++++ .../dns/block-dynamic-categories.mdx | 50 +++++++++++++++++++ .../dns-request-context-categories.mdx | 9 ++++ 3 files changed, 68 insertions(+) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 82777d2468f5c7c..4a6f9bac0543d34 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -68,6 +68,15 @@ The categories included in this policy are not always a security threat, but blo product="cloudflare-one" /> +## Block dynamic list of categories + +Block a set of categories sent in the EDNS section of the request. The integer category list to block on, can be sent to the gateway DNS as JSON(`{"categories": []}`) via OPT code 65050. This is useful to filter by categories, that are not known at the time of creating a rule. Whenever a DNS request is blocked because of the request context categories, gateway will reply with an EDE Blocked(15) field containing an array of matched categories. + + + ## Block unauthorized applications diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx new file mode 100644 index 000000000000000..71c7d615faa363e --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx @@ -0,0 +1,50 @@ +--- +{} +--- + +import { Tabs, TabItem } from "~/components"; + + + +| Selector | Operator | Value | Action | +| ------------------------ | -------- | ------- | ------ | +| Request Context Category | is | Present | Block | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-DNS-Bock-Category-Matches-In-Request", + "description": "Block all category matches in the requet edns context", + "precedence": 30, + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "dns.categories_in_request_context_matches", + "identity": "" +}' +``` + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { + account_id = var.cloudflare_account_id + name = "All-DNS-Bock-Category-Matches-In-Request" + description = "Block all category matches in the requet edns context" + enabled = true + action = "block" + filters = ["dns"] + traffic = "dns.categories_in_request_context_matches" + identity = "" +} +``` + + diff --git a/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx new file mode 100644 index 000000000000000..d3bfa1fe88099ac --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx @@ -0,0 +1,9 @@ +--- +{} +--- + +Use this selector to match dynamic list of category ids sent in the EDNS section of the request(OPT code 65050) [request context categories](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids). $1 + +| UI name | API example | Evaluation phase | +| -------------------------- | ------------------------------------------- | --------------------- | +| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution | From 08164a5a2234c744b65512ed66dff64415672882 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 16:35:29 -0500 Subject: [PATCH 2/9] Add selector to list --- .../policies/gateway/dns-policies/index.mdx | 8 ++++++++ .../gateway/selectors/dns-request-context-categories.mdx | 9 --------- 2 files changed, 8 insertions(+), 9 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 5f16451a0b7ad15..135cbf335299db7 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -392,6 +392,14 @@ Use this selector to filter based on the IP addresses that the query resolves to | ----------- | ------------------------------------------ | -------------------- | | Resolved IP | `any(dns.resolved_ips[*] == 198.51.100.0)` | After DNS resolution | +### Request Context Categories + +Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the EDNS portion of a DNS query. Cloudflare includes request context in the OPT code `65050`. + +| UI name | API example | Evaluation phase | +| -------------------------- | --------------------------------------------------------------------- | --------------------- | +| Request Context Categories | `any(dns.categories_in_request_context_matches[*] in {2 67 125 133})` | Before DNS resolution | + ### Security Categories diff --git a/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx deleted file mode 100644 index d3bfa1fe88099ac..000000000000000 --- a/src/content/partials/cloudflare-one/gateway/selectors/dns-request-context-categories.mdx +++ /dev/null @@ -1,9 +0,0 @@ ---- -{} ---- - -Use this selector to match dynamic list of category ids sent in the EDNS section of the request(OPT code 65050) [request context categories](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids). $1 - -| UI name | API example | Evaluation phase | -| -------------------------- | ------------------------------------------- | --------------------- | -| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution | From fcb43d50f48240db94cdb080573757deb252ed50 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 16:40:15 -0500 Subject: [PATCH 3/9] Add common policy to page --- .../gateway/dns-policies/common-policies.mdx | 48 ++++++++++++++++-- .../policies/gateway/dns-policies/index.mdx | 2 +- .../dns/block-dynamic-categories.mdx | 50 ------------------- 3 files changed, 45 insertions(+), 55 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 4a6f9bac0543d34..2071458212c5b98 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -72,10 +72,50 @@ The categories included in this policy are not always a security threat, but blo Block a set of categories sent in the EDNS section of the request. The integer category list to block on, can be sent to the gateway DNS as JSON(`{"categories": []}`) via OPT code 65050. This is useful to filter by categories, that are not known at the time of creating a rule. Whenever a DNS request is blocked because of the request context categories, gateway will reply with an EDE Blocked(15) field containing an array of matched categories. - + + +| Selector | Operator | Value | Action | +| ------------------------ | -------- | ------- | ------ | +| Request Context Category | is | Present | Block | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-DNS-Bock-Category-Matches-In-Request", + "description": "Block all category matches in the requet edns context", + "precedence": 30, + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "dns.categories_in_request_context_matches", + "identity": "" +}' +``` + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { + account_id = var.cloudflare_account_id + name = "All-DNS-Bock-Category-Matches-In-Request" + description = "Block all category matches in the requet edns context" + enabled = true + action = "block" + filters = ["dns"] + traffic = "dns.categories_in_request_context_matches" + identity = "" +} +``` + + ## Block unauthorized applications diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 135cbf335299db7..fac39971f9af46a 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -394,7 +394,7 @@ Use this selector to filter based on the IP addresses that the query resolves to ### Request Context Categories -Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the EDNS portion of a DNS query. Cloudflare includes request context in the OPT code `65050`. +Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the EDNS portion of a DNS query. Gateway includes request context with the OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | --------------------------------------------------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx deleted file mode 100644 index 71c7d615faa363e..000000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-dynamic-categories.mdx +++ /dev/null @@ -1,50 +0,0 @@ ---- -{} ---- - -import { Tabs, TabItem } from "~/components"; - - - -| Selector | Operator | Value | Action | -| ------------------------ | -------- | ------- | ------ | -| Request Context Category | is | Present | Block | - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-DNS-Bock-Category-Matches-In-Request", - "description": "Block all category matches in the requet edns context", - "precedence": 30, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "dns.categories_in_request_context_matches", - "identity": "" -}' -``` - - - - -```tf -resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { - account_id = var.cloudflare_account_id - name = "All-DNS-Bock-Category-Matches-In-Request" - description = "Block all category matches in the requet edns context" - enabled = true - action = "block" - filters = ["dns"] - traffic = "dns.categories_in_request_context_matches" - identity = "" -} -``` - - From 48f35037d2f0ee9db964e6f4c32559ca8a3fdf9e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 17:06:45 -0500 Subject: [PATCH 4/9] Add additional context --- .../gateway/dns-policies/common-policies.mdx | 12 ++++++++++-- .../policies/gateway/dns-policies/index.mdx | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 2071458212c5b98..287ce32b0a8ff71 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -68,9 +68,17 @@ The categories included in this policy are not always a security threat, but blo product="cloudflare-one" /> -## Block dynamic list of categories +## Block a dynamic list of categories -Block a set of categories sent in the EDNS section of the request. The integer category list to block on, can be sent to the gateway DNS as JSON(`{"categories": []}`) via OPT code 65050. This is useful to filter by categories, that are not known at the time of creating a rule. Whenever a DNS request is blocked because of the request context categories, gateway will reply with an EDE Blocked(15) field containing an array of matched categories. +You can block a set of categories sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a request with the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector. The category ID list to block on can be sent to the gateway DNS as JSON using OPT code `65050`. For example: + +```json +{ + "categories": [2, 67, 125, 133] +} +``` + +This is useful to filter by categories that are not known at the time of creating a rule. When a DNS request is blocked because of the request context categories, Gateway will reply with an EDE Blocked(15) field containing an array of the matched categories. diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index fac39971f9af46a..a3a138135493c56 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -394,7 +394,7 @@ Use this selector to filter based on the IP addresses that the query resolves to ### Request Context Categories -Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the EDNS portion of a DNS query. Gateway includes request context with the OPT code `65050`. +Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | --------------------------------------------------------------------- | --------------------- | From 4534e7ce17ec7cf889de466fd4bbfc6240fb66ab Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 17:07:44 -0500 Subject: [PATCH 5/9] Add to Allow and Block action list --- .../docs/cloudflare-one/policies/gateway/dns-policies/index.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index a3a138135493c56..3b76a0f5916bfaa 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -63,6 +63,7 @@ API value: `allow` - [Resolved Continent IP Geolocation](#resolved-continent) - [Resolved Country IP Geolocation](#resolved-country) - [Resolved IP](#resolved-ip) +- [Request Context Categories](#request-context-categories) - [Security Categories](#security-categories) - [Source Continent IP Geolocation](#source-continent) - [Source Country IP Geolocation](#source-country) @@ -114,6 +115,7 @@ API value: `block` - [Resolved Continent IP Geolocation](#resolved-continent) - [Resolved Country IP Geolocation](#resolved-country) - [Resolved IP](#resolved-ip) +- [Request Context Categories](#request-context-categories) - [Security Categories](#security-categories) - [Source Continent IP Geolocation](#source-continent) - [Source Country IP Geolocation](#source-country) From f7010a5c5ad81d5e7598940804d160571e913859 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 17:22:10 -0500 Subject: [PATCH 6/9] Add more context --- .../policies/gateway/dns-policies/common-policies.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 287ce32b0a8ff71..16831fc364bb769 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -70,7 +70,7 @@ The categories included in this policy are not always a security threat, but blo ## Block a dynamic list of categories -You can block a set of categories sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a request with the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector. The category ID list to block on can be sent to the gateway DNS as JSON using OPT code `65050`. For example: +You can add a list of category IDs to the [EDNS header](https://datatracker.ietf.org/doc/html/rfc6891) of a request sent to Gateway as a JSON object using OPT code `65050`. For example: ```json { @@ -78,7 +78,7 @@ You can block a set of categories sent in the [EDNS](https://datatracker.ietf.or } ``` -This is useful to filter by categories that are not known at the time of creating a rule. When a DNS request is blocked because of the request context categories, Gateway will reply with an EDE Blocked(15) field containing an array of the matched categories. +With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, Gateway will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories. From 0d1ea619be7b4b45a6eb5aa009cd7cdb21da35ec Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Mar 2025 17:35:06 -0500 Subject: [PATCH 7/9] Update API call --- .../policies/gateway/dns-policies/common-policies.mdx | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 16831fc364bb769..2a7545078eccba3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -8,7 +8,7 @@ head: content: Common DNS policies --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; The following policies are commonly used to secure DNS traffic. @@ -78,7 +78,7 @@ You can add a list of category IDs to the [EDNS header](https://datatracker.ietf } ``` -With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, Gateway will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories. +With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories. @@ -95,8 +95,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-Bock-Category-Matches-In-Request", - "description": "Block all category matches in the requet edns context", - "precedence": 30, + "description": "Block all category matches in the request EDNS context", "enabled": true, "action": "block", "filters": [ @@ -114,7 +113,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.cloudflare_account_id name = "All-DNS-Bock-Category-Matches-In-Request" - description = "Block all category matches in the requet edns context" + description = "Block all category matches in the request EDNS context" enabled = true action = "block" filters = ["dns"] From 7efd626dfcb0fea3d39ba17b31cceaa556240f30 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 16:50:18 -0400 Subject: [PATCH 8/9] Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx --- .../cloudflare-one/policies/gateway/dns-policies/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 3b76a0f5916bfaa..add8e649db2f16f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -398,9 +398,9 @@ Use this selector to filter based on the IP addresses that the query resolves to Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`. -| UI name | API example | Evaluation phase | -| -------------------------- | --------------------------------------------------------------------- | --------------------- | -| Request Context Categories | `any(dns.categories_in_request_context_matches[*] in {2 67 125 133})` | Before DNS resolution | +| UI name | API example | Evaluation phase | +| -------------------------- | ------------------------------------------- | --------------------- | +| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution | ### Security Categories From c0a739bc855f92a7093f6209f68309c8efd750af Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 18:02:07 -0400 Subject: [PATCH 9/9] Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx --- .../policies/gateway/dns-policies/common-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 2a7545078eccba3..07cef2adcbd1af0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -84,7 +84,7 @@ With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-polic | Selector | Operator | Value | Action | | ------------------------ | -------- | ------- | ------ | -| Request Context Category | is | Present | Block | +| Request Context Category | is | _Present_ | Block |