DNS Proxy Rule and FQDN Matching
Focus
Focus

DNS Proxy Rule and FQDN Matching

Table of Contents

DNS Proxy Rule and FQDN Matching

When you configure the firewall with a DNS Proxy Object that uses DNS proxy rules, the firewall compares an FQDN from a DNS query to the domain name of a DNS proxy rule. The firewall comparison works as follows:
FQDN Comparison to DNS Proxy Rule
For Example
The firewall first tokenizes the FQDNs and the domain names in the DNS proxy rules. In a domain name, a string delimited by a period (.) is a token.
*.boat.fish.com consists of four tokens: [*][boat][fish][com]
The matching process is an exact token match between the FQDN and the domain name in the rule; partial strings are not matched.
Rule:     fishing
FQDN: fishNot a Match
An exception to the exact match requirement is the use of the wildcard—an asterisk (*). The * matches one or more tokens.
This means a rule consisting of only a wildcard (*) matches any FQDN with one or more tokens.
Rule:     *.boat.com
FQDN: www.boat.com — Match
FQDN: www.blue.boat.com — Match
FQDN: boat.comNot a Match
Rule:   *
FQDN: boat — Match
FQDN: boat.com — Match
FQDN: www.boat.com — Match
You can use an * in any position: preceding tokens, between tokens, or trailing tokens (but not with other characters within a single token).
Rule:     www.*.com
FQDN: www.boat.com — Match
FQDN: www.blue.boat.com — Match
Rule:     www.boat.*
FQDN: www.boat.com — Match
FQDN: www.boat.fish.com — Match
Rule:     www.boat*.comInvalid
Multiple wildcards (*) can appear in any position of the domain name: preceding tokens, between tokens, or trailing tokens. Each non-consecutive * matches one or more tokens.
Rule:    a.*.d.*.com
FQDN: a.b.d.e.com — Match
FQDN: a.b.c.d.e.f.com — Match
FQDN: a.d.d.e.f.com — Match (First * matches d; second * matches e and f)
FQDN: a.d.e.f.comNot a Match (First * matches d; subsequent d in the rule is not matched)
When wildcards are used in consecutive tokens, the first * matches one or more tokens; the second * matches one token.
This means a rule consisting of only *.* matches any FQDN with two or more tokens.
Consecutive wildcards preceding tokens:
Rule:     *.*.boat.com
FQDN: www.blue.boat.com — Match
FQDN: www.blue.sail.boat.com — Match
Consecutive wildcards between tokens:
Rule:    www.*.*.boat.com
FQDN: www.blue.sail.boat.com — Match
FQDN: www.big.blue.sail.boat.com — Match
Consecutive wildcards trailing tokens:
Rule:    www.boat.*.*
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
Consecutive wildcards only:
Rule:   *.*
FQDN: boatNot a Match
FQDN: boat.com — Match
FQDN: www.boat.com — Match
Consecutive and non-consecutive wildcards can appear in the same rule.
Rule:    a.*.d.*.*.com
FQDN: a.b.c.d.e.f.com — Match (First * matches b and c; second * matches e; third * matches f)
FQDN: a.b.c.d.e.comNot a Match (First * matches b and c; second * matches e; third * not matched)
The Implicit-tail-match behavior provides an additional shorthand:
As long as the last token of the rule is not an *, a comparison will match if all tokens in the rule match the FQDN, even when the FQDN has additional trailing tokens that the rule doesn’t have.
Rule:    www.boat.fish
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
FQDN: www.boat.fish — Match
This rule ends with *, so the Implicit-tail-match rule doesn’t apply. The * behaves as stated; it matches one or more tokens.
Rule:    www.boat.fish.*
FQDN: www.boat.fish.com — Match
FQDN: www.boat.fish.ocean.com — Match
FQDN: www.boat.fishNot a Match (This FQDN does not have a token to match the * in the rule.)
In the case where an FQDN matches more than one rule, a tie-breaking algorithm selects the most specific (longest) rule; that is, the algorithm favors the rule with more tokens and fewer wildcards (*).
Rule 1:  *.fish.com — Match
Rule 2:  *.com — Match
Rule 3:  boat.fish.com — Match and Tie-Breaker
FQDN: boat.fish.com
FQDN matches all three rules; the firewall uses Rule 3 because it is the most specific.
Rule 1:  *.fish.comNot a Match
Rule 2:  *.com — Match
Rule 3:  boat.fish.comNot a Match
FQDN: fish.com
FQDN does not match Rule 1 because the * does not have a token to match.
Rule 1:  *.fish.com — Match and Tie-Breaker
Rule 2:  *.com — Match
Rule 3:  boat.fish.comNot a Match
FQDN: blue.boat.fish.com
FQDN matches Rule 1 and Rule 2 (because the * matches one or more tokens). The firewall uses Rule 1 because it is the most specific.
When working with wildcards (*) and Implicit-tail-match rules, there can be cases when the FQDN matches more than one rule and the tie-breaking algorithm weighs the rules equally.
To avoid ambiguity, if rules with an Implicit-tail-match or a wildcard (*) can overlap, replace an Implicit-tail-match rule by specifying the tail token.
Replace this:
Rule: www.boat
with this:
Rule: www.boat.com
Best Practices for Creating DNS Proxy Rules to Avoid Ambiguity and Unexpected Results
Include a top-level domain in the domain name to avoid invoking an Implicit-tail-match that may match the FQDN to more than one rule.
boat.com
If you use a wildcard (*), use it only as the leftmost token.
This practice follows the common understanding of wildcard DNS records and the hierarchical nature of DNS.
*.boat.com
Use no more than one * in a rule.
Use the * to establish a base rule associated with a DNS server, and use rules with more tokens to build exceptions to the rule, which you associate with different servers.
The tie-breaking algorithm will select the most specific match, based on the number of matched tokens.
Rule: *.corporation.com — DNS server A
Rule: www.corporation.com — DNS server B
Rule: *.internal.corporation.com — DNS server C
Rule: www.internal.corporation.com — DNS server D
FQDN: mail.internal.corporation.com — matches DNS server C
FQDN: mail.corporation.com — matches DNS server A