When you configure the firewall with a DNS Proxy Object that uses DNS proxy rules, the firewall compares an FQDN from a DNS query to the domain name of a DNS proxy rule. The firewall comparison works as follows:
FQDN Comparison to DNS Proxy Rule For Example
The firewall first tokenizes the FQDNs and the domains names in the DNS proxy rules. In a domain name, a string delimited by a period (.) is a token. *.boat.fish.com consists of four tokens: [*][boat][fish][com]
The matching process is an exact token match between the FQDN and the domain name in the rule; partial strings are not matched. Rule: fishing FQDN: fish Not a Match
An exception to the exact match requirement is the use of the wildcard—an asterisk (*). The * matches one or more tokens. This means a rule consisting of only a wildcard (*) matches any FQDN with one or more tokens. Rule: *.boat.com FQDN: www.boat.com — Match FQDN: www.blue.boat.com — Match FQDN: boat.com Not a Match
Rule: * FQDN: boat — Match FQDN: boat.com — Match FQDN: www.boat.com — Match
You can use an * in any position: preceding tokens, between tokens, or trailing tokens (but not with other characters within a single token). Rule: www.*.com FQDN: www.boat.com — Match FQDN: www.blue.boat.com — Match
Rule: www.boat.* FQDN: www.boat.com — Match FQDN: www.boat.fish.com — Match
Rule: www.boat*.com Invalid
Multiple wildcards (*) can appear in any position of the domain name: preceding tokens, between tokens, or trailing tokens. Each non-consecutive * matches one or more tokens. Rule: a.*.d.*.com FQDN: a.b.d.e.com — Match FQDN: a.b.c.d.e.f.com — Match FQDN: a.d.d.e.f.com — Match (First * matches d ; second * matches e and f ) FQDN: a.d.e.f.com Not a Match (First * matches d ; subsequent d in the rule is not matched)
When wildcards are used in consecutive tokens, the first * matches one or more tokens; the second * matches one token. This means a rule consisting of only *.* matches any FQDN with two or more tokens. Consecutive wildcards preceding tokens: Rule: *.*.boat.com FQDN: www.blue.boat.com — Match FQDN: www.blue.sail.boat.com — Match
Consecutive wildcards between tokens: Rule: www.*.*.boat.com FQDN: www.blue.sail.boat.com — Match FQDN: www.big.blue.sail.boat.com — Match
Consecutive wildcards trailing tokens: Rule: www.boat.*.* FQDN: www.boat.fish.com — Match FQDN: www.boat.fish.ocean.com — Match
Consecutive wildcards only: Rule: *.* FQDN: boat Not a Match FQDN: boat.com — Match FQDN: www.boat.com — Match
Consecutive and non-consecutive wildcards can appear in the same rule. Rule: a.*.d.*.*.com FQDN: a.b.c.d.e.f.com — Match (First * matches b and c ; second * matches e ; third * matches f ) FQDN: a.b.c.d.e.com Not a Match (First * matches b and c ; second * matches e ; third * not matched)
The Implicit-tail-match behavior provides an additional shorthand: As long as the last token of the rule is not an *, a comparison will match if all tokens in the rule match the FQDN, even when the FQDN has additional trailing tokens that the rule doesn’t have. Rule: www.boat.fish FQDN: www.boat.fish.com — Match FQDN: www.boat.fish.ocean.com — Match FQDN: www.boat.fish — Match
This rule ends with *, so the Implicit-tail-match rule doesn’t apply. The * behaves as stated; it matches one or more tokens. Rule: www.boat.fish.* FQDN: www.boat.fish.com — Match FQDN: www.boat.fish.ocean.com — Match FQDN: www.boat.fish Not a Match (This FQDN does not have a token to match the * in the rule.)
In the case where an FQDN matches more than one rule, a tie-breaking algorithm selects the most specific (longest) rule; that is, the algorithm favors the rule with more tokens and fewer wildcards (*). Rule 1: *.fish.com — Match Rule 2: *.com — Match Rule 3: boat.fish.com — Match and Tie-Breaker FQDN: boat.fish.com FQDN matches all three rules; the firewall uses Rule 3 because it is the most specific.
Rule 1: *.fish.com Not a Match Rule 2: *.com — Match Rule 3: boat.fish.com Not a Match FQDN: fish.com FQDN does not match Rule 1 because the * does not have a token to match.
Rule 1: *.fish.com — Match and Tie-Breaker Rule 2: *.com — Match Rule 3: boat.fish.com Not a Match FQDN: blue.boat.fish.com FQDN matches Rule 1 and Rule 2 (because the * matches one or more tokens). The firewall uses Rule 1 because it is the most specific.
When working with wildcards (*) and Implicit-tail-match rules, there can be cases when the FQDN matches more than one rule and the tie-breaking algorithm weighs the rules equally. To avoid ambiguity, if rules with an Implicit-tail-match or a wildcard (*) can overlap, replace an Implicit-tail-match rule by specifying the tail token. Replace this: Rule: www.boat with this: Rule: www.boat.com
When creating DNS proxy rules, the following best practices will help you avoid ambiguity and unexpected results:
Best Practices for Creating DNS Proxy Rules For Example
Avoid invoking an Implicit-tail-match by including a top-level domain in the domain name. boat.com
If you use a wildcard (*), use it only as the leftmost token. This practice follows the common understanding of wildcard DNS records and the hierarchical nature of DNS. *.boat.com
Use no more than one * in a rule.
Use the * to establish a base rule associated with a DNS server, and use rules with more tokens to build exceptions to the rule, which you associate with different servers. The tie-breaking algorithm will select the most specific match, based on the number of matched tokens. Rule: *.corporation.com — DNS server A Rule: www.corporation.com — DNS server B Rule: *.internal.corporation.com — DNS server C Rule: www.internal.corporation.com — DNS server D FQDN: mail.internal.corporation.com — matches DNS server C FQDN: mail.corporation.com — matches DNS server A

Related Documentation