DNSMatcher retrieves the IP addresses of domain names. This can be used in domain name based policy decisions, for example to allow encrypted connections only to trusted e-banking sites. If the IP address of the name server is not specified in the DNS Server field, the name server set in the Networking component is used (see Section 5.3, Managing client-side name resolution for details).

Domain name resolution is completed on-demand basis at each Zorp startup by default, so that unnecessary slowdown with the startup can be avoided. In order to have domain name resolution at each startup, the resolve_on_init parameter has to be checked in.

It is recommended to have a locally installed caching DNS service which is capable of providing fast responses, monitored with the used domains.

Example 6.10. DNSMatcher for two domain names
Figure 6.66. Sample DNSMatcher policy Python: MatcherPolicy(name="ExampleDomainMatcher", matcher=DNSMatcher(server="dns.example.com",\ hosts=("example2.com", "example3.com")))