DNS Rule Engine Policy
DNS Rule Engine Policy
DNS supports the same rule engine model used by Proxy, adapted to DNS query facts.
Canonical policy spec artifact:
products/dns/dns_rule_engine_policy_spec.json
Enable policy in DNS config
{
"policy_file_path": "/etc/titaniumguard/dns-policy.json",
"rule_engine": {
"max_trace_facts": 64,
"enable_explain_logs": true
}
}Evaluation semantics
- Rule sets are validated and compiled at startup.
- Evaluation uses ordered rules with first-match-wins.
- If no rule matches,
defaults.actionis applied. - DNS deny decisions return
REFUSED. - On config reload, invalid policy updates are rejected and the previous active policy stays loaded.
Runtime facts
Examples of DNS facts available to predicates:
client.ipdns.qnamedns.qtypedns.qclassdns.dnssec_okdns.recursion_desiredconn.protocoltime.local.hourtime.local.dow
Minimal deny example
{
"version": "1.0.0",
"defaults": { "action": "ALLOW", "log_level": "info", "fail_closed": false },
"evaluation": { "mode": "ORDERED", "first_match_wins": true, "tie_breakers": [], "merge_rule_sets": [] },
"dimensions": {
"dns.qname": { "type": "string", "source_stage": "REQUEST", "description": "DNS query name" }
},
"operators": {
"EQ": { "applicable_types": ["string"], "value_schema": { "type": "string" }, "semantics": "Exact equality" }
},
"schemas": {},
"evaluation_semantics": {},
"specificity": {},
"examples": {},
"explain_trace": {},
"implementation_notes": {},
"rule_sets": [
{
"id": "global",
"scope": "GLOBAL",
"enabled": true,
"rules": [
{
"id": "block-malware-domain",
"enabled": true,
"priority": 100,
"description": "Block known malware domain",
"when": {
"all": [
{ "field": "dns.qname", "op": "EQ", "value": "malware.example." }
]
},
"action": {
"type": "DENY",
"deny": {
"reason": "blocked domain",
"status_code": 403,
"body": "blocked"
}
},
"provenance": {
"created_at": "2026-03-05T00:00:00Z",
"updated_at": "2026-03-05T00:00:00Z",
"created_by": "security-team"
}
}
]
}
]
}