Control Network Traffic > Policies > About Policies by Domain Name (FQDN)

About Policies by Domain Name (FQDN)

You can use Fully Qualified Domain Names (FQDN) in your Firebox policy configurations. If you use FQDNs in the configuration, you must also configure DNS on the Firebox so that the Firebox can resolve the domain names. For more information, see DNS Configuration.

With domain name support, you can:

In Fireware v11.12.2 and higher, the Blocked Sites Exceptions list includes default FQDNs for servers that WatchGuard products and subscription services must connect to. For more information, see About Blocked Sites.

You can use a specific domain name (host.example.com) or a wildcard domain name (*.example.com). For example, the wildcard domain *.example.com would include:

  • a.example.com
  • b.example.com
  • a.b.example.com

These wildcard entries are not supported:

  • *.*.example.com
  • example*.com
  • *. example.*.com
  • example.*.com

With domain name support, you can configure a wide variety of policy configurations. For example:

  • Allow traffic to software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked.
  • Block or allow traffic to specific domains.
  • Block traffic to a specific domain, but create an exception for a subdomain.
  • Use the HTTP proxy for all web traffic, but bypass the proxy for content delivery networks such as *.akamai.com.
  • Use different proxy policies for different domains. For example, you can use one proxy policy for example.com, and use a different proxy policy for example2.com.

Domain Name Resolution

When you define a domain name in your configuration, your Firebox performs forward DNS resolution for the specified domain and stores the IP mappings. For wildcard domains such as *.example.com, the device performs forward DNS resolution on example.com and www.example.com.

To resolve the subdomains implied by *.example.com, the device analyzes DNS replies that match your domain name configuration. As DNS traffic passes through the Firebox, it stores the IP mapping responses to relevant queries. Only A and CNAME records are used. Any other records are ignored.

Limitations

Note these limitations when you use domain names:

  • The sanctioned DNS server used to resolve domain names is the first static DNS server in your configuration, or the first DNS server obtained if your Firebox uses DHCP or PPPoE on the external interface.
  • Only IPv4 addresses are supported.
  • You can configure up to 1024 domain names in total, including Policies, Alias members, Blocked Sites, Blocked Site Exceptions, and Quota Exceptions.
  • Each domain can map up to 255 IP addresses. Older IP addresses are dropped when the maximum is reached.

Configuration Considerations

When you configure domain names, keep these considerations in mind:

  • A domain name can correspond to multiple IP addresses — It is possible that different DNS servers can return different IP address replies based on geographical location, time zone, load balancing configurations, and other factors.
  • A specific IP address may map to several domain names — When a domain is resolved to an IP address, it is equivalent to having a firewall policy with that specific IP address in the policy. If another domain or subdomain also resolves to the same IP address, traffic to or from that domain will also match this policy. This can create complications if you configure different traffic actions for each domain or wildcard domain.
  • Multiple domain names for the same site — Many web site main pages pull data from other web sites and second-level domains for images and other information. If you block all traffic and allow a specific domain, you must also allow any additional domains that are called by the main page. The system will attempt to map IP addresses from second-level domains for a wildcard domain to provide the full content for a site.

DNS Configuration

The Firebox uses a DNS server to resolve each domain name to an IP address. To use FQDNs, you must configure a DNS server in the network settings of your Firebox, or configure the external interface to use DHCP or PPPoE to get a DNS configuration. We recommend that your clients and your Firebox use the same DNS server. If the client contains different IP and domain mappings than the Firebox, the traffic will not match to the correct policy and could be allowed by a different policy, or dropped if no policy is matched.

If clients try to reach an internal destination with an internal DNS server, the Firebox may not have an opportunity to analyze this traffic for local servers. We recommend that if you use an internal DNS server, the DNS server should be located on a different internal network than your clients so that the Firebox can see and analyze replies from the DNS server.

For Fireware versions lower than v11.12.2, Policy Manager does not allow you to save a configuration to the Firebox if the configuration includes FQDNs and DNS is not configured. For Fireware v11.12.2 and higher, Policy Manager warns you if DNS is not configured, but allows you to save the configuration to the Firebox.

Domain name configuration and management is affected by your current network topology and the location of your DNS server, as described here:

Internal DNS on Local Network

If clients and your Firebox use an internal DNS server on the same network zone:

  • Configure your clients and Firebox to use the local DNS server as the primary name server.
  • When you add wildcard domain entries, you must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed. This allows new analysis and mappings of DNS replies by your Firebox.
  • To flush the local DNS cache of your DNS server, see the documentation for your DNS server.
  • To display and flush the DNS cache of a Windows client, type these commands from the command line:
  • ipconfig /displaydns
  • ipconfig /flushdns
  • Domain mappings are not saved when you reboot your Firebox. You must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed.
  • Alternately, you can save the domain mappings on your Firebox to a flash file that can be recovered after a reboot. To save your domain mappings to a flash file, from the CLI main mode, type: diagnose fqdn "/fqdnd/save_wildcard_domain_labels"

Internal DNS on Different Network

If clients use an internal local DNS server on a different network zone (for example on a separate network off of the Firebox):

  • Configure your clients and Firebox to use the local DNS server as the primary name server.
  • You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.

External DNS

If clients and your Firebox use an external DNS server:

  • Configure your clients and Firebox to use the external DNS server as the primary name server. If your Firebox uses DHCP or PPPoE on the external interface to get the DNS configuration, this is the DNS server that will be used.
  • You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.

Logs and Reports

You can view domain name resolution and actions in log messages and reports just like other IP addresses and hosts.

If you use a wildcard domain, it appears as a wildcard in log messages, such as *.example.com. The specific subdomain that triggered the action is not displayed.

See Also

About the Firewall Policies page

Add Policies to Your Configuration

About Policy Manager

Give Us Feedback     Get Support     All Product Documentation     Technical Search