About Policies by Domain Name (FQDN)

You can use Fully Qualified Domain Names (FQDN) in your Firebox policy configurations. If you use FQDNs in the configuration, you must also configure DNS on the Firebox so that the Firebox can resolve the domain names. For more information, see DNS Configuration.

You can use domain names in your policies to control traffic based on domain. For example:

  • Allow traffic to software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked.
  • Block or allow traffic to specific domains.
  • Block traffic to a specific domain, but create an exception for a subdomain.
  • Use the HTTP proxy for all web traffic, but bypass the proxy for content delivery networks such as *.akamai.com.
  • Use different proxy policies for different domains. For example, you can use one proxy policy for example.com, and use a different proxy policy for example2.com.

With domain name support, you can:

You can use a specific domain name (host.example.com) or a wildcard domain name (*.example.com). For example, the wildcard domain *.example.com includes:

  • example.com
  • a.example.com
  • b.example.com
  • a.b.example.com

Wildcard domain names must include at least two domain labels, for example *.example.com. Wildcard domain names that include only the top-level domain, such as *.com, are not supported.

You can also use subdomain wildcards, for example:

  • *.b.example.com
  • *.b.c.example.com
  • *.b.c.d.example.com

Multi-level subdomain wildcards in FQDN are only supported in Fireware v12.2 and higher.

These wildcard entries are not supported:

  • *.net or *.com (the list of IP address entries would be too large to process)
  • *.*.example.com
  • example*.com
  • *. example.*.com
  • example.*.com

Domain Name Resolution

When you define a domain name in your configuration, your Firebox performs forward DNS resolution for the specified domain and stores the IP address mappings. For wildcard domains such as *.example.com, the device performs forward DNS resolution on example.com and www.example.com.

To resolve the subdomains implied by *.example.com, the Firebox analyzes DNS replies that match your domain name configuration. As DNS traffic passes through the Firebox, the Firebox stores the IP address mapping responses to relevant queries. Only A and CNAME records are used. Any other records are ignored.

Limitations

Note these limitations when you use domain names:

  • The sanctioned DNS server used to resolve domain names is the first static DNS server in your configuration, or the first DNS server obtained if your Firebox uses DHCP or PPPoE on the external interface.
  • Only IPv4 addresses are supported.
  • The total number of domain names you can configure in Policies, Alias members, Blocked Sites, Blocked Site Exceptions, Geolocation Exceptions, and Quota Exceptions, depends on the Fireware version and your device model.

    Fireware 12.7 and higher:

    • There is no limit on the number of domain names you can configure. The Firebox generates a warning log message when you save a configuration that exceeds 2048 or 1024 domain names, based on the Firebox model:
      • Firebox M270, M370, M400, M440, M470, M500, M570, M670, M4600, M5600, T55, T55-W, T70, FireboxV, and Firebox Cloud: 2048 domain names
      • All other devices: 1024 domain names
    • Example log message:
    • 2020-12-17 16:28:01 wgagent The number of FQDNs exceeds the recommended maximum of 2048 Debug

    Fireware 12.4 to 12.6.x:

    • Firebox M200, M270, M300, M370, M400, M440, M470, M500, M570, M670, M4600, M5600, T55, T55-W, T70, FireboxV, and Firebox Cloud: Up to 2048 domain names
    • All other devices: Up to 1024 domain names

    Fireware 12.3.1 and lower:

    • All devices: Up to 1024 domain names
  • Each domain can map up to 255 IP addresses. Older IP addresses are dropped when the maximum is reached.

The Firebox retains DNS entries for FQDNs for the amount of time specified by the TTL (Time To Live) value provided by the DNS server.

Configuration Considerations

When you configure domain names, keep these considerations in mind:

  • A domain name can correspond to multiple IP addresses — It is possible that different DNS servers can return different IP address replies based on geographical location, time zone, load balancing configurations, and other factors.
  • A specific IP address may map to several domain names — When a domain is resolved to an IP address, it is equivalent to a firewall policy with that specific IP address in the policy. If another domain or subdomain also resolves to the same IP address, traffic to or from that domain will also match this policy. This can create complications if you configure different traffic actions for each domain or wildcard domain. The FQDN IP mapping used is determined by the processing precedence:
    1. Blocked site exceptions
    2. Blocked sites
    3. Policies (based on the policy order)

    When you use an FQDN that directs to a content delivery network (CDN), the selected behavior applies to all traffic that uses the same IP address(es) at the CDN. This might cause blocked sites, exceptions, and policy settings to handle traffic that has a destination with the same IP address(es). You might encounter this issue more frequently if you use wildcard domain names.
    If you want to control access to specific sites and applications, consider the use of WebBlocker or Application Control, which might be better options.

  • The same FQDN can be used in more than one policy — The policy configuration prevents issues with multiple FQDN matches occurring in different packet level features, such as blocked sites exceptions, blocked sites, and policies. FQDNs are resolved by the policy precedence.
  • Multiple domain names for the same site — Many website main pages pull data from other websites and second-level domains for images and other information. If you block all traffic and allow a specific domain, you must also allow any additional domains that are called by the page. The Firebox will attempt to map IP addresses from second-level domains for a wildcard domain to provide the full content for a site.

DNS Configuration

The Firebox uses a DNS server to resolve each domain name to an IP address. To use FQDNs, you must configure a DNS server in the network settings of your Firebox, or configure the external interface to use DHCP or PPPoE to get a DNS configuration. We recommend that your clients and your Firebox use the same DNS server. If the client contains different IP and domain mappings than the Firebox, the traffic will not match to the correct policy and could be allowed by a different policy, or dropped if no policy is matched.

If clients try to reach an internal destination with an internal DNS server, the Firebox may not have an opportunity to analyze this traffic for local servers. We recommend that if you use an internal DNS server, the DNS server should be located on a different internal network than your clients so that the Firebox can see and analyze replies from the DNS server.

For Fireware versions lower than v11.12.2, Policy Manager does not allow you to save a configuration to the Firebox if the configuration includes FQDNs and DNS is not configured. For Fireware v11.12.2 and higher, Policy Manager warns you if DNS is not configured, but allows you to save the configuration to the Firebox.

Domain name configuration and management is affected by your current network topology and the location of your DNS server, as described in the next sections.

Internal DNS on Local Network

If clients and your Firebox use an internal DNS server on the same network zone:

  • Configure your clients and Firebox to use the local DNS server as the primary name server.
  • When you add wildcard domain entries, you must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed. This allows new analysis and mappings of DNS replies by your Firebox.
  • To flush the local DNS cache of your DNS server, see the documentation for your DNS server.
  • To display and flush the DNS cache of a Windows client, type these commands from the command line:
  • ipconfig /displaydns
  • ipconfig /flushdns
  • Domain mappings are not saved when you reboot your Firebox. You must flush the local DNS cache of your clients and your DNS server to make sure domain/IP mappings are refreshed.
  • Alternatively, you can save the domain mappings on your Firebox to a flash file that can be recovered after a reboot. To save your domain mappings to a flash file, from the CLI main mode, type: diagnose fqdn "/fqdnd/save_wildcard_domain_labels"

Internal DNS on Different Network

If clients use an internal local DNS server on a different network zone (for example, on a separate network off of the Firebox):

  • Configure your clients and Firebox to use the local DNS server as the primary name server.
  • You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.

External DNS

If clients and your Firebox use an external DNS server:

  • Configure your clients and Firebox to use the external DNS server as the primary name server. If your Firebox uses DHCP or PPPoE on the external interface to get the DNS configuration, this is the DNS server that will be used.
  • You do not need to flush the local DNS cache of your clients or DNS server when you add a wildcard domain to your configuration or when you reboot your Firebox.

Logs and Reports

You can view domain name resolution and actions in log messages and reports just like other IP addresses and hosts.

If you use a wildcard domain, it appears as a wildcard in log messages, such as *.example.com. The specific subdomain that triggered the action is not displayed.

See Also

About the Firewall Policies page

Add Policies to Your Configuration

About Policy Manager

About DNS on the Firebox