NS1's fencing filters allow you to steer DNS traffic to specific record answers using an autonomous system number (ASN), IP prefix, or location.
Filter | Description |
---|---|
Netfence ASN |
This filter eliminates answers whose ASN metadata value(s) do not match the autonomous system (AS) of the requester's IP address. Answers without an ASN metadata value are not eliminated unless you select the "Remove answers without ASN on match" option. For example, let's say you apply the Netfence ASN filter to a record with two answers: Answer #1 has an ASN value set to 2914, 3257, and Answer #2 does not have an ASN metadata value set. In this example:
Note: The "Remove answers without ASN on match" option only applies if there is at least one entry in the ASN list that matches the requester AS. In other words, even with the option enabled, if no answers match the ASN, then answers without ASNs not set remain eligible. WARNING
Do not use this filter for security purposes. DNS security features are not currently strong enough to secure traffic. You should implement strong security within the applications, firewalls, access control lists, or other points of contact with your DNS records instead. |
Netfence prefix | This filter eliminates answers in which the requester’s IP does not match the IP prefix list of the answer. Answers with no set ip_prefixes value are not eliminated unless you select the Remove answers without ip_prefixes on match option.
For example, assume that you have a record with two answers: One with its If you select Remove answers without WARNING
Do not use this filter for security purposes. DNS security features are not currently strong enough to secure traffic. You should implement strong security within the applications, firewalls, access control lists, or other points of contact with your DNS records instead. |
Geofence country | This filter eliminates answers in which the country, subdivision, state, or province metadata does not match the requester’s location. If the requester’s location does not match the metadata of any answers, all answers without a country, subdivision, state, or province are returned. If no such answer exists, then a NO ERROR, NO ANSWER status will be returned, and the answer data will be blank.
NS1 compares the most granular location in the answer metadata fields to a geoIP database to determine the location of the requester based on one of the following:
If you select Remove answers that don’t match location metadata if any match, answers are removed only if at least one answer contains location metadata that matches the requester’s location. If no answers meet this requirement, answers with no location are returned. |
Geofence regional | This filter eliminates answers from different geographical regions than the requester. Answers without a georegion value set are not eliminated unless you select the Remove answers without georegion on match option.
This filter examines the If you do not select the Remove answers without |