- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
DNS Resolution of Wildcard FQDN Address Objects
01/19/2022 
127 People found this article helpful
106,014 Views
Description
FQDN Address Objects support wildcard entries, such as "*.somedomain name.com", by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall.
EXAMPLE: Creating an FQDN Address Object (AO) for "*.logmein.com" will first use the DNS servers configured on the firewall to resolve"logmein.com to 64.94.47.199, 74.201.75.199, 77.242.193.199 (as can be confirmed by nslookup logmein.com or equivalent. These IP addresses could change). Since most DNS servers do not allow zone transfers, it is typically not possibly to automatically enumerate all the hosts in a domain.
Resolution
SonicWall will not try to resolve secure.logmein.com. Instead, the SonicWall will look for DNS responses coming from sanctioned DNS servers as they traverse the firewall.
If a host behind the firewall queries an external DNS server which is also a configured/defined DNS server on the SonicWall for secure.logmein.com, the SonicWall will parse the response to see if it matches the domain of any wildcard FQDN AOs.
Sanctioned DNS servers are those DNS servers configured for use by the SonicWall firewall. The reason that responses from only sanctioned DNS servers are used in the wildcard learning process is to protect against the possibility of FQDN AO poisoning through the use of unsanctioned DNS servers with deliberately incorrect host entries. Future versions of SonicOS Enhanced might offer the option to support responses from all DNS server.
NOTE: Wildcards only support full matches, not partial matches. In other words, "*.SonicWall.com" is a legitimate entry, but "w*.SonicWall.com", "*w.SonicWall.com", and "w*w.SonicWall.com" are not. A wildcard can only be specified once per entry, so "*.*.SonicWall.com", for example, will not be functional.
EXAMPLE: To illustrate, assume the firewall is configured to use DNS servers 4.2.2.1 and 4.2.2.2, and is providing these DNS servers to all firewalled client via DHCP. If firewalled client-A performs a DNS query against 4.2.2.1 or 4.2.2.2 for "secure.logmein.com", the response will be examined by the firewall, and will be matched to the defined "*.logmein.com" FQDN AO. The result (74.201.74.193) will then be added to the resolved values of the "*.logmein.com" dynamic address object.
If the workstation A, in the example above had resolved and cached secure.logmein.com prior to the creation of the "*.logmein.com" AO, secure.logmein.com would not be resolved by the firewall because the client would use its resolver's cache rather than issuing a new DNS request.
As a result, the firewall would not have the chance to learn about secure.logmein.com, unless it was resolved by another host.
On a Microsoft Windows workstation, the local resolver cache can be cleared using the command ipconfig /flushdns.
This will force the client to resolve all FQDNs, allowing the firewall to learn them as they are accessed.
CAUTION: Wildcard FQDN entries will resolve all hostnames within the context of the domain name, up to 512 entries per AO.
For example, "*.SonicWall.com" will resolve www.sonicwall.com, software.SonicWall.com, licensemanager.SonicWall.com, to their respective IP addresses, but it will not resolve sslvpn.demo.SonicWall.com because it is in a different context; for sslvpn.demo.SonicWall.com to be resolved by a wildcard FQDN AO, the entry "*.demo.SonicWall.com" would be required, and would also resolve SonicOS-enhanced.demo.SonicWall.com, csm.demo.SonicWall.com, SonicOS-stand ard.demo.SonicWall.com, etc.
Related Articles
- App Control fails by schema error when editing VPN category
- How to remove 2FA for admin using CLI
- 2FA authentication error using TOTP "Please try again later"
Categories
- Firewalls > NSa Series > Networking
- Firewalls > NSv Series > Networking
- Firewalls > TZ Series > Networking
YES
NO