DNS Proxy Rule and FQDN Matching
Focus
Focus
Next-Generation Firewall

DNS Proxy Rule and FQDN Matching

Table of Contents

DNS Proxy Rule and FQDN Matching

How the firewall compares an FQDN to DNS proxy rules.
Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
Where Can I Use This?What Do I Need?
One of these:
When you configure the firewall with a DNS proxy object that uses DNS proxy rules, the firewall compares an FQDN from a DNS query to the domain name of a DNS proxy rule. The firewall comparison works as follows.
FQDN Comparison to DNS Proxy Rule
For Example
The firewall first tokenizes the FQDNs and the domain names in the DNS proxy rules. In a domain name, a string delimited by a period (.) is a token.
*.boat.fish.com consists of four tokens: [*][boat][fish][com]
The matching process is an exact token match between the FQDN and the domain name in the rule; partial strings aren’t matched.
Rule:     fishing
FQDN: fishNot a Match
An exception to the exact match requirement is the use of the wildcard—an asterisk (*). The * matches one or more tokens.
This means a rule consisting of only a wildcard (*) matches any FQDN with one or more tokens.
Rule:     *.boat.com
FQDN: www.boat.com — Match
FQDN: www.blue.boat.com — Match
FQDN: boat.comNot a Match
Rule:   *
FQDN: boat — Match
FQDN: boat.com — Match
FQDN: www.boat.com — Match
You can use an * in any position: preceding tokens, between tokens, or trailing tokens (but not with other characters within a single token).
Rule:     www.*.com
FQDN: www.boat.com — Match
FQDN: www.blue.boat.com — Match
Rule:     www.boat.*
FQDN: www.boat.com — Match
FQDN: www.boat.fish.com — Match
Rule:     www.boat*.comInvalid
Multiple wildcards (*) can appear in any position of the domain name: preceding tokens, between tokens, or trailing tokens. Each nonconsecutive * matches one or more tokens.
Rule:    a.*.d.*.com
FQDN: a.b.d.e.com — Match
FQDN: a.b.c.d.e.f.com — Match
FQDN: a.d.d.e.f.com — Match (First * matches d; second * matches e and f)
FQDN: a.d.e.f.comNot a Match (First * matches d; subsequent d in the rule isn’t matched)
When wildcards are used in consecutive tokens, the first * matches one or more tokens; the second * matches one token.
This means a rule consisting of only *.* matches any FQDN with two or more tokens.
Consecutive wildcards preceding tokens:
Rule:     *.*.boat.com
FQDN: www.blue.boat.com — Match
FQDN: www.blue.sail.boat.com — Match
Consecutive wildcards between tokens:
Rule:    www.*.*.boat.com
FQDN: www.blue.sail.boat.com — Match
FQDN: www.big.blue.sail.boat.com — Match
Consecutive wildcards trailing tokens:
Rule:    www.boat.*.*
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
Consecutive wildcards only:
Rule:   *.*
FQDN: boatNot a Match
FQDN: boat.com — Match
FQDN: www.boat.com — Match
Consecutive and nonconsecutive wildcards can appear in the same rule.
Rule:    a.*.d.*.*.com
FQDN: a.b.c.d.e.f.com — Match (First * matches b and c; second * matches e; third * matches f)
FQDN: a.b.c.d.e.comNot a Match (First * matches b and c; second * matches e; third * not matched)
The Implicit-tail-match behavior provides an additional shorthand:
As long as the last token of the rule isn’t an *, a comparison will match if all tokens in the rule match the FQDN, even when the FQDN has additional trailing tokens that the rule doesn’t have.
Rule:    www.boat.fish
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
FQDN: www.boat.fish — Match
This rule ends with *, so the Implicit-tail-match rule doesn’t apply. The * behaves as stated; it matches one or more tokens.
Rule:    www.boat.fish.*
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
FQDN: www.boat.fishNot a Match (This FQDN doesn’t have a token to match the * in the rule.)
In the case where an FQDN matches more than one rule, a tie-breaking algorithm selects the most specific (longest) rule; that is, the algorithm favors the rule with more tokens and fewer wildcards (*).
Rule 1:  *.fish.com — Match
Rule 2:  *.com — Match
Rule 3:  boat.fish.com — Match and Tie-Breaker
FQDN: boat.fish.com
FQDN matches all three rules; the firewall uses Rule 3 because it’s the most specific.
Rule 1:  *.fish.comNot a Match
Rule 2:  *.com — Match
Rule 3:  boat.fish.comNot a Match
FQDN: fish.com
FQDN doesn’t match Rule 1 because the * doesn’t have a token to match.
Rule 1:  *.fish.com — Match and Tie-Breaker
Rule 2:  *.com — Match
Rule 3:  boat.fish.comNot a Match
FQDN: blue.boat.fish.com
FQDN matches Rule 1 and Rule 2 (because the * matches one or more tokens). The firewall uses Rule 1 because it’s the most specific.
When working with wildcards (*) and Implicit-tail-match rules, there can be cases when the FQDN matches more than one rule and the tie-breaking algorithm weighs the rules equally.
To avoid ambiguity, if rules with an Implicit-tail-match or a wildcard (*) can overlap, replace an Implicit-tail-match rule by specifying the tail token.
Replace this:
Rule: www.boat
with this:
Rule: www.boat.com
Best Practices for Creating DNS Proxy Rules to Avoid Ambiguity and Unexpected Results
Include a top-level domain in the domain name to avoid invoking an Implicit-tail-match that might match the FQDN to more than one rule.
boat.com
If you use a wildcard (*), use it only as the leftmost token.
This practice follows the common understanding of wildcard DNS records and the hierarchical nature of DNS.
*.boat.com
Use no more than one * in a rule.
Use the * to establish a base rule associated with a DNS server, and use rules with more tokens to build exceptions to the rule, which you associate with different servers.
The tie-breaking algorithm will select the most specific match, based on the number of matched tokens.
Rule: *.corporation.com — DNS server A
Rule: www.corporation.com — DNS server B
Rule: *.internal.corporation.com — DNS server C
Rule: www.internal.corporation.com — DNS server D
FQDN: mail.internal.corporation.com — matches DNS server C
FQDN: mail.corporation.com — matches DNS server A