Managing the Order of Match Lists
- Panna .
When you configure certain DNS and DHCP functions, you can create match lists that the appliance uses to filter specific IP addresses for specific operations. For example, you can create a DNS blackhole list for including and excluding DNS traffic to certain IP addresses, configure a list of IP addresses for allowing and denying DDNS updates, or define a Match Destinations list that identifies destination addresses and TSIG keys that are allowed access to a DNS view.
The appliance matches rules in these lists from top to bottom. Rules at the top always take precedence over those at the bottom. Therefore, ensure that you put the most specific rules at the top of the list, and then put the more general rules at the bottom. For example, when you add network 10.10.0.0/24 to a DNS blackhole list, all 256 IP addresses in the network are put on the blackhole list. To allow DNS traffic to the specific IP addresses 10.10.0.55 and 10.10.0.88, you must add these two addresses at the top of the blackhole list before the network address 10.10.0.0/24, and then set their permissions to "Exclude." The same applies when you set up the list of clients for DDNS updates. If you want to deny DDNS updates from a specific client (10.0.0.99) and allow DDNS updates from all other clients in the 10.0.0.0/24 network, you must put 10.0.0.99 at the top of the list and configure the appliance to deny DDNS updates from this client. You then add network 10.0.0.0/24 for allowing DDNS updates from all other clients at the bottom of the list.