How does the FQDN Wildcard work?
Last modified on 8 Feb, 2022. Revision 7| Up to date for | 14.00.00 |
| Supported since | 12.00.10 |
| Status | OK |
Question:
I have applied a FQDN-Object with a wildcard as destination net in one of my IP-Policys. But currently the traffic wont match the rule and the traffic is dropped. If i remove the wildcard and input the whole FQDN-address everything works. Something must be wrong with the firewall.
Answer:
First we must go through how the FQDN Wildcard works in cOS Core.
To get the wildcards to work it needs a DNS-Profile applied to the DNS-policy, read more about this in the cOS Core Admin Guide, example for version 14.00.00 section 6.1.12. DNS ALG, page 640 and on page 193.
As the FQDN-objects with wildcard relies on DNS to work, there are some scenarios when the objects wont update with the correct address and the traffic will be blocked.
The FQDN Wildcard object is updated when a DNS query is made from the client, and if it matches the FQDN-object the IP will be added to the cache for that object on the firewall.
If the IP is already in the cache of the client, no DNS query will be made and the firewalls cache will remain empty as the Firewall will not receive any DNS queries from the client. This resulting in that policies/objects wont function properly as the Firewall lacks details about the resolved DNS entry.
This problem could be solved by flushing the clients DNS cache or use another client without this FQDN resolved. Another solution would be to have your own DNS server with a low TTL, so that you won’t end up in a situation where the clients have the resolved FQDN but it’s not present in the Firewall.
Related articles
22 Sep, 2021 core ftps sftp
23 Aug, 2022 core ipreputation
23 Aug, 2022 core arp routing
9 Mar, 2021 core
27 Apr, 2022 arm x86 core
23 Aug, 2022 core certificate oneconnect ipsec vpn
23 Aug, 2022 sslvpn openconnect oneconnect android core
8 Sep, 2020 snmp core wireshark
30 Mar, 2022 core ethernet netwall coscore
2 Feb, 2021 core sslvpn macos certificate
19 Feb, 2021 core arp
7 Sep, 2022 core cli pcap netwall pcapdump
23 Aug, 2022 core ha cluster
22 Mar, 2021 core ipsec routing
23 Aug, 2022 vmware log ha rarp arp core
22 Jan, 2021 core ipreputation
15 Apr, 2021 core brokenlink cluster
17 Jun, 2021 core ipsec routing
23 Aug, 2022 core arp garp
9 Mar, 2021 core ping connections
5 Mar, 2021 sslvpn openconnect oneconnect linux core
8 Apr, 2021 core sslvpn oneconnect interfaces arp
1 Jun, 2022 core routing management
8 Sep, 2020 core ipreputation blacklist threatprevention
23 Jun, 2021 core connections
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
25 May, 2022 howto core authenticator authentication webauth captive
13 May, 2022 core license
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
21 Apr, 2021 core cluster ha
14 Apr, 2021 core license ipsec
8 Sep, 2020 core ipsec rules access
26 May, 2021 kvm core arm x86
25 Jan, 2022 core ethernet settings
6 Jul, 2021 core stream tcpsequence sequence stateless
11 Apr, 2021 core sfp gbic hardware
23 Aug, 2022 core oneconnect
28 Oct, 2020 core howto ethernet packetloss cpu
24 Nov, 2021 core arm kvm
16 Jun, 2021 core stateless rules netwall
29 Jun, 2021 core oneconnect
23 May, 2022 core log logreceiver
23 Aug, 2022 howto core pbr routing netwall isp
20 May, 2021 kvm core arm coscore netwall
23 Aug, 2022 core behaviour icmp ping traceroute
23 Aug, 2022 core ipsec license memory
25 Jan, 2021 brokenlink core arp log routing
30 Nov, 2020 howto core cloud-init dhcp
15 Dec, 2021 core idp ipreputation log4j
24 Mar, 2021 core connections
21 Jun, 2022 core ha hacluster netwall coscore slb
7 May, 2021 core ethernet vlan arp garp
9 Jul, 2021 core mtu netwall mtudiscovery
23 Aug, 2022 core connections ipsec memory
27 Jan, 2021 core stateless routing brokenlink
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
8 Jul, 2021 incontrol domains core