You can now configure DNS rewrite conditions to control when DNS address translation occurs based on the DNS client's characteristics. This enhancement allows you to specify that DNS responses should only be modified when the DNS client matches particular source zones or source addresses configured in your NAT rules. When you enable DNS rewrite conditions, the firewall evaluates whether the DNS client requesting the resolution matches your configured criteria before performing any address translation in the DNS response.

You might want to use this feature when you have specific DNS clients that require a different DNS resolution behavior from others in your network. For example, if you have internal users who should receive translated addresses for certain services, while external or guest users should receive the original addresses, you can configure DNS rewrite conditions to apply translation only to traffic from designated internal zones. This gives you granular control over which clients receive modified DNS responses, rather than applying DNS rewrite globally to all clients requesting resolution for a particular address.

The feature supports both positive matching (where you can specify that DNS rewrite should occur only when the client matches the NAT rule's source zone and address) and negative matching (through exclusion lists, where you can specify particular source zones or IP address ranges that shouldn't undergo a DNS rewrite for the specific NAT policy rule).

When you configure these conditions, the firewall performs the same DNS rewrite mapping lookup process as before, but adds an additional validation step to verify that the requesting DNS client meets your specified criteria. If the client does not match the configured conditions, the firewall skips the DNS rewrite for that particular request, while still processing other DNS rewrite rules that might apply to different clients requesting the same address resolution.