DNS Proxy Rule and FQDN Matching
When you configure the firewall with a DNS
Proxy Object that uses DNS proxy rules, the firewall compares
an FQDN from a DNS query to the domain name of a DNS proxy rule.
The firewall comparison works as follows:
FQDN Comparison to
DNS Proxy Rule | For Example |
|---|---|
The firewall first tokenizes the FQDNs and the
domain names in the DNS proxy rules. In a domain name, a string delimited
by a period (.) is a token. | *.boat.fish.com consists
of four tokens: [*][boat][fish][com] |
The matching process is an exact token match
between the FQDN and the domain name in the rule; partial strings
are not matched. | Rule: fishing FQDN: fish — Not
a Match |
An exception to the exact
match requirement is the use of the wildcard—an asterisk (*). The
* matches one or more tokens. This means a rule consisting
of only a wildcard (*) matches any FQDN with one or more tokens. | Rule: *.boat.com FQDN: www.boat.com —
MatchFQDN: www.blue.boat.com — MatchFQDN: boat.com — Not
a Match |
Rule: * FQDN: boat —
MatchFQDN: boat.com — MatchFQDN: www.boat.com —
Match | |
You can use an * in any position: preceding
tokens, between tokens, or trailing tokens (but not with other characters
within a single token). | Rule: www.*.com FQDN: www.boat.com —
MatchFQDN: www.blue.boat.com — Match |
Rule: www.boat.* FQDN: www.boat.com —
MatchFQDN: www.boat.fish.com — Match | |
Rule: www.boat*.com — Invalid | |
Multiple wildcards (*) can appear in any position
of the domain name: preceding tokens, between tokens, or trailing tokens.
Each non-consecutive * matches one or more tokens. | Rule: a.*.d.*.com FQDN: a.b.d.e.com —
MatchFQDN: a.b.c.d.e.f.com — MatchFQDN: a.d.d.e.f.com —
Match (First * matches d ; second * matches e and f )FQDN: a.d.e.f.com — Not
a Match (First * matches d ;
subsequent d in the rule is not matched) |
When wildcards are used in consecutive tokens,
the first * matches one or more tokens; the second * matches one
token. This means a rule consisting of only *.* matches any
FQDN with two or more tokens. | Consecutive wildcards preceding tokens: Rule: *.*.boat.com FQDN: www.blue.boat.com —
MatchFQDN: www.blue.sail.boat.com —
Match |
Consecutive wildcards between tokens: Rule: www.*.*.boat.com FQDN: www.blue.sail.boat.com —
MatchFQDN: www.big.blue.sail.boat.com —
Match | |
Consecutive wildcards trailing tokens: Rule: www.boat.*.* FQDN: www.boat.fish.com —
MatchFQDN: www.boat.fish.ocean.com —
Match | |
Consecutive wildcards only: Rule: *.* FQDN: boat — Not
a Match FQDN: boat.com — MatchFQDN: www.boat.com —
Match | |
Consecutive and non-consecutive wildcards
can appear in the same rule. | Rule: a.*.d.*.*.com FQDN: a.b.c.d.e.f.com —
Match (First * matches b and c ;
second * matches e ;
third * matches f )FQDN: a.b.c.d.e.com — Not
a Match (First * matches b and c ;
second * matches e ;
third * not matched) |
The Implicit-tail-match behavior provides an
additional shorthand: As long as the last token of the rule
is not an *, a comparison will match if all tokens in the rule match
the FQDN, even when the FQDN has additional trailing tokens that
the rule doesn’t have. | Rule: www.boat.fish FQDN: www.boat.fish.com —
MatchFQDN: www.boat.fish.ocean.com —
MatchFQDN: www.boat.fish — Match |
This rule ends with *, so the Implicit-tail-match
rule doesn’t apply. The * behaves as stated; it matches one or more
tokens. | Rule: www.boat.fish.* FQDN: www.boat.fish.com —
MatchFQDN: www.boat.fish.ocean.com —
MatchFQDN: www.boat.fish — Not
a Match (This FQDN does not have a token to match the * in the
rule.) |
In the case where an FQDN matches more than
one rule, a tie-breaking algorithm selects the most specific (longest)
rule; that is, the algorithm favors the rule with more tokens and fewer
wildcards (*). | Rule 1: *.fish.com —
MatchRule 2: *.com —
MatchRule 3: boat.fish.com —
Match and Tie-BreakerFQDN: boat.fish.com FQDN
matches all three rules; the firewall uses Rule 3 because it is
the most specific. |
Rule 1: *.fish.com — Not
a Match Rule 2: *.com —
MatchRule 3: boat.fish.com — Not
a Match FQDN: fish.com FQDN
does not match Rule 1 because the * does not have a token to match. | |
Rule 1: *.fish.com —
Match and Tie-BreakerRule 2: *.com —
MatchRule 3: boat.fish.com — Not
a Match FQDN: blue.boat.fish.com FQDN
matches Rule 1 and Rule 2 (because the * matches one or more tokens).
The firewall uses Rule 1 because it is the most specific. | |
When working with wildcards (*) and Implicit-tail-match
rules, there can be cases when the FQDN matches more than one rule
and the tie-breaking algorithm weighs the rules equally. To
avoid ambiguity, if rules with an Implicit-tail-match or a wildcard
(*) can overlap, replace an Implicit-tail-match rule by specifying
the tail token. | Replace this: Rule: www.boat with
this: Rule: www.boat.com |
Best Practices for Creating
DNS Proxy Rules to Avoid Ambiguity and Unexpected Results | |
Include a top-level domain in the domain name
to avoid invoking an Implicit-tail-match that may match the FQDN
to more than one rule. | boat.com |
If you use a wildcard (*), use it only as the
leftmost token. This practice follows the common understanding
of wildcard DNS records and the hierarchical nature of DNS. | *.boat.com |
Use no more than one * in a rule. | |
Use the * to establish a base rule associated
with a DNS server, and use rules with more tokens to build exceptions
to the rule, which you associate with different servers. The
tie-breaking algorithm will select the most specific match, based
on the number of matched tokens. | Rule: *.corporation.com —
DNS server ARule: www.corporation.com —
DNS server BRule: *.internal.corporation.com —
DNS server CRule: www.internal.corporation.com —
DNS server DFQDN: mail.internal.corporation.com —
matches DNS server CFQDN: mail.corporation.com —
matches DNS server A |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
