The image compares the transaction flow of a valid DNS request to a disallowed DNS request.

In the valid DNS request, a requestor attempts to access the website foo.com. The response goes to the OCI DNS listener, which consults a set of rules. These rules determine that requests for *.foo.com should go to DNS resolver A and sends the request on to a OCI DNS forwarder, which, in turn, forwards the request to DNS resolver A. DNS resolver A returns a response back through the OCI DNS forwarder, from which it goes back through the OCI DNS listener to the address requester.

In the disallowed DNS request , a requestor attempts to access the website junk.biz. The response goes to the OCI DNS listener, which consults a set of rules. These rules determine that requests for anything .biz (*.biz) returns an NX_DOMAIN response; that is, a null redirect and the request is denied.