About Policies by Domain Name (FQDN)
You can use Fully Qualified Domain Names (FQDN) in your Firebox policy configurations. If you use FQDNs in the configuration, you must also configure DNS on the Firebox so that the Firebox can resolve the domain names. For more information, go to DNS Configuration.
You can use domain names in your policies to control traffic based on domain. For example:
- Allow traffic to software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked.
- Block or allow traffic to specific domains.
- Block traffic to a specific domain, but create an exception for a subdomain.
- Use the HTTP proxy for all web traffic, but bypass the proxy for content delivery networks such as *.akamai.com.
- Use different proxy policies for different domains. For example, you can use one proxy policy for example.com, and use a different proxy policy for example2.com.
With domain name support, you can:
- Use domain names as members of Aliases
- Use domain names in Blocked Sites and Blocked Site Exceptions.
- Use domain names in Quota Exceptions
- Use domain names in Geolocation Exceptions
- Use domain names in the From and To fields of a Policy
You can use a specific domain name (host.example.com) or a wildcard domain name (*.example.com). For example, the wildcard domain *.example.com includes:
- example.com
- a.example.com
- b.example.com
- a.b.example.com
Wildcard domain names must include at least two domain labels, for example *.example.com. Wildcard domain names that include only the top-level domain, such as *.com, are not supported.
You can also use subdomain wildcards, for example:
- *.b.example.com
- *.b.c.example.com
- *.b.c.d.example.com
Multi-level subdomain wildcards in FQDN are only supported in Fireware v12.2 and higher.
These wildcard entries are not supported:
- *.net or *.com (the list of IP address entries would be too large to process)
- *.*.example.com
- example*.com
- *. example.*.com
- example.*.com
Domain Name Resolution
When you define a domain name in your configuration, your Firebox performs forward DNS resolution for the specified domain and stores the IP address mappings. For wildcard domains such as *.example.com, the device performs forward DNS resolution on example.com and www.example.com.
To resolve the subdomains implied by *.example.com, the Firebox analyzes DNS replies that match your domain name configuration. As DNS traffic passes through the Firebox, the Firebox stores the IP address mapping responses to relevant queries. Only A and CNAME records are used. Any other records are ignored.
Limitations
Note these limitations when you use domain names:
- The sanctioned DNS server used to resolve domain names is the first static DNS server in your configuration, or the first DNS server obtained if your Firebox uses DHCP or PPPoE on the external interface.
- Only IPv4 addresses are supported.
- There is no limit on the total number of domain names you can configure in Policies, Alias members, Blocked Sites, Blocked Site Exceptions, Geolocation Exceptions, and Quota Exceptions.
The number of configured domain names can affect performance. The maximum recommended number of domain names is 2048. The Firebox generates a warning log message when you save a configuration that exceeds 2048 domain names. For example: 2020-12-17 16:28:01 wgagent The number of FQDNs exceeds the recommended maximum of 2048 Debug - Each domain can map up to 255 IP addresses. Older IP addresses are dropped when the maximum is reached.
The Firebox retains DNS entries for FQDNs for the amount of time specified by the TTL (Time To Live) value provided by the DNS server.
Configuration Considerations
When you configure domain names, keep these considerations in mind:
- A domain name can correspond to multiple IP addresses — It is possible that different DNS servers can return different IP address replies based on geographical location, time zone, load balancing configurations, and other factors.
- A specific IP address may map to several domain names — When a domain is resolved to an IP address, it is equivalent to a firewall policy with that specific IP address in the policy. If another domain or subdomain also resolves to the same IP address, traffic to or from that domain will also match this policy. This can create complications if you configure different traffic actions for each domain or wildcard domain. The FQDN IP mapping used is determined by the processing precedence:
- Blocked site exceptions
- Blocked sites
- Policies (based on the policy order)
When you use an FQDN that directs to a content delivery network (CDN), the selected behavior applies to all traffic that uses the same IP address(es) at the CDN. This might cause blocked sites, exceptions, and policy settings to handle traffic that has a destination with the same IP address(es). You might encounter this issue more frequently if you use wildcard domain names.
If you want to control access to specific sites and applications, consider the use of WebBlocker or Application Control, which might be better options. - The same FQDN can be used in more than one policy — The policy configuration prevents issues with multiple FQDN matches occurring in different packet level features, such as blocked sites exceptions, blocked sites, and policies. FQDNs are resolved by the policy precedence.
- Multiple domain names for the same site — Many website main pages pull data from other websites and second-level domains for images and other information. If you block all traffic and allow a specific domain, you must also allow any additional domains that are called by the page. The Firebox will attempt to map IP addresses from second-level domains for a wildcard domain to provide the full content for a site.
DNS Configuration
The Firebox uses a DNS server to resolve each domain name to an IP address. To use FQDNs, you must configure a DNS server in the network settings of your Firebox, or configure the external interface to use DHCP or PPPoE to get a DNS configuration. We recommend that your clients and your Firebox use the same DNS server. If the client contains different IP and domain mappings than the Firebox, the traffic will not match to the correct policy and could be allowed by a different policy, or dropped if no policy is matched.
If clients try to reach an internal destination with an internal DNS server, the Firebox may not have an opportunity to analyze this traffic for local servers. We recommend that if you use an internal DNS server, the DNS server should be located on a different internal network than your clients so that the Firebox can see and analyze replies from the DNS server.
Domain name configuration and management is affected by your current network topology and the location of your DNS server, as described in the next sections.
Internal DNS on Local Network
If clients and your Firebox use an internal DNS server on the same network zone:
- Configure your clients and Firebox to use the local DNS server as the primary name server.
- When you add wildcard domain entries, you must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed. This allows new analysis and mappings of DNS replies by your Firebox.
- To flush the local DNS cache of your DNS server, see the documentation for your DNS server.
- To display and flush the DNS cache of a Windows client, type these commands from the command line:
- ipconfig /displaydns
- ipconfig /flushdns
- Domain mappings are not saved when you reboot your Firebox. You must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed.
- Alternatively, you can save the domain mappings on your Firebox to a flash file that can be recovered after a reboot. To save your domain mappings to a flash file, from the CLI main mode, type: diagnose fqdn "/fqdnd/save_wildcard_domain_labels"
Internal DNS on Different Network
If clients use an internal local DNS server on a different network zone (for example, on a separate network off of the Firebox):
- Configure your clients and Firebox to use the local DNS server as the primary name server.
- You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.
External DNS
If clients and your Firebox use an external DNS server:
- Configure your clients and Firebox to use the external DNS server as the primary name server. If your Firebox uses DHCP or PPPoE on the external interface to get the DNS configuration, this is the DNS server that will be used.
- You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.
Logs and Reports
You can view domain name resolution and actions in log messages and reports just like other IP addresses and hosts.
If you use a wildcard domain, it appears as a wildcard in log messages, such as *.example.com. The specific subdomain that triggered the action is not displayed.
About the Firewall Policies page