When the firewall receives an FQDN query where the domain isn’t in the DNS proxy cache, it
compares the domain name from the FQDN query to the domain names in the DNS Proxy rules.
If you specify multiple domain names in a single DNS Proxy rule, a query that matches
any one of the domain names in the rule means that the query matches the rule.
DNS Proxy Rule and FQDN Matching describes how the firewall determines
whether an FQDN matches a domain name in a DNS proxy rule. A DNS query that matches a
rule is sent to the primary DNS server configured for the proxy object to be
resolved.