If your configuration has multiple AS profiles with sinkhole exceptions, how does the firewall determine which profile to apply? The AS profile will be applied to a security rule, but the sinkhole action should occur before actual traffic, so the firewall would not be able to match a security rule as it would not have an actual destination IP.
Is it only the AS profile that is applied to the security rule that allows the DNS request that matters in this case?
Thank you!
yes. The sinkhole 'action' is a poisoning of the DNS reply preceding any session that requires a DNS lookup. Once the actual session is initiated, it will already be pointed to the sinkhole IP so no further DNS security inspection/action needs to be taken at that point.
So to have more predictable control over any exceptions etc, it's best to create a specific rule for your DNS traffic and apply one single profile to that rule so all exceptions go into that one profile. other rules can use a different profile as exceptions won't matter as there won't be any DNS traffic