You can configure FQDN address objects as load-balanced FQDNs to ensure comprehensive policy matching when application servers use load-balanced DNS servers to distribute traffic. When you enable this feature, the firewall maintains a complete list of resolved IP addresses for the FQDN, rather than replacing the existing list with each DNS response. This addresses situations where load-balanced DNS servers return only a subset of available IP addresses in response to individual queries, which can cause policy rules to fail when matching against IP addresses that were not included in the most recent DNS response.

You configure this functionality by enabling a new checkbox option in the FQDN address object configuration. When you designate an FQDN as load-balanced, the DNS proxy implements additional query logic to build and maintain the complete set of resolved IP addresses. The system adds DNS retry events with progressive timing intervals when it receives different IP addresses from those currently stored, allowing it to discover the full range of IP addresses associated with the load-balanced domain.

You would implement this feature when your network includes applications that rely on load-balanced DNS infrastructure where complete visibility into all possible destination IP addresses is critical for security policy enforcement. The feature ensures that your security policies function correctly, regardless of which subset of IP addresses the load-balanced DNS server returns for any individual query.

The feature maintains backward compatibility with existing FQDN configurations, and you can selectively enable load-balanced DNS handling only for specific FQDN address objects that require this behavior. The system limits each domain to a maximum of 100 IP addresses to manage memory usage effectively while supporting the vast majority of load-balanced DNS implementations.