How does the FQDN Wildcard work?

Question:
I have applied a FQDN-Object with a wildcard as destination net in one of my IP-Policys. But currently the traffic wont match the rule and the traffic is dropped. If i remove the wildcard and input the whole FQDN-address everything works. Something must be wrong with the firewall.

Answer:
First we must go through how the FQDN Wildcard works in cOS Core.
To get the wildcards to work it needs a DNS-Profile applied to the DNS-policy, read more about this in the cOS Core Admin Guide, example for version 14.00.00 section 6.1.12. DNS ALG, page 640 and on page 193.

As the FQDN-objects with wildcard relies on DNS to work, there are some scenarios when the objects wont update with the correct address and the traffic will be blocked.

The FQDN Wildcard object is updated when a DNS query is made from the client, and if it matches the FQDN-object the IP will be added to the cache for that object on the firewall.
If the IP is already in the cache of the client, no DNS query will be made and the firewalls cache will remain empty as the Firewall will not receive any DNS queries from the client. This resulting in that policies/objects wont function properly as the Firewall lacks details about the resolved DNS entry.

This problem could be solved by flushing the clients DNS cache or use another client without this FQDN resolved. Another solution would be to have your own DNS server with a low TTL, so that you won’t end up in a situation where the clients have the resolved FQDN but it’s not present in the Firewall.

Related articles