Fencing 101


Fencing 101

NS1 allows you to restrict requests originating from a specific ASN, location and/or IP to specific answers. Fencing can be utilized with the following filters: GEOFENCE_REGIONAL, GEOFENCE_COUNTRY, NETFENCE_ASN, NETFENCE_PREFIX.


How it works:


The NETFENCE_ASN filter is given the IP address or the EDNS Client Subnet of the originating end user. The filter then determines the Autonomous System Number (ASN) of this IP address or subnet. It compares this ASN to the ASN metadata in each answer and returns accordingly.

The NETFENCE_PREFIX filter is given the IP address of the requesting resolver or the EDNS Client Subnet of the originating end user if available. It then compares the IP to the prefix metadata in each answer and returns accordingly.

The GEOFENCE_COUNTRY filter is given the IP address of the requesting resolver or the EDNS Client Subnet of the originating end user if available. The filter then determines the location of this IP address or subnet using our GeoIP database. It then compares the location to the country/state or CA province metadata in each answer and returns accordingly.

The GEOFENCE_REGIONAL filter is given the IP address of the requesting resolver or the EDNS Client Subnet of the originating end user if available. The filter then determines the location of this IP address or subnet using our GeoIP database. It then compares the location to the region metadata in each answer and returns accordingly.

Option: Remove answers without matching value on any match:

If this box is checked and a match exists between the requesters data and one of the answers available, the filter will remove non-matching answers and will return only the matching answers to the next filter in the chain. If there is no match, all answers without ASN metadata will be returned.

If it is unchecked, any matching answers will be returned first, followed by the answers without relative metadata.  

Notes, and a Caution:

This filter uses the IP address of the DNS resolver and, if present, the EDNS Client Subnet of the originator. Stub resolvers and forwarders can make this filter ineffective. The use of public DNS resolvers which do not support EDNS Client Subnet will also make this filter ineffective.

Fencing filters can cause NOERROR / no answer responses for queries originating from an ASN, IP, or location that does not match any available metadata. To avoid returning no answers on non-matching queries, a default answer without metadata should be made available.

Request a Demo

Contact Us

Get Pricing