Referencing Domain Groups in Security Policies
As the name implies, a domain group is a set of domain names. A domain group actually is also an IP address group.
In a dynamic network environment, IP addresses keep changing. It is difficult for network administrators to trace IP address changes and update security policies promptly. In this case, you can use the domain group instead of the IP address as the matching condition of a security policy. Common application scenarios are as follows:
- Permits or blocks all traffic destined for a specified domain name. For example, the web server with the domain name www.example.com in the data center needs to access the image server with the domain name img.hi4example.com.
- Blocks the traffic destined for a specified domain name but permits the traffic destined for its subdomain name. For example, employees are not allowed to access salesforce.com but are allowed to access huawei.my.salesforce.com.
- Prevents employees from accessing the Internet, but allows software to be automatically updated. For example, the Windows operating system needs to frequently download patches from the Windows Server Update Services (WSUS) server, and the virus library of an antivirus software needs to be updated periodically.
Working Principles of Domain Groups
To access a specified service using a domain name, a client needs to send a DNS request to the DNS server. The firewall resolves the response packet from the DNS server to obtain the mapping between the domain name and IP address, confirms that the domain name belongs to a domain group, and records the mapping in the domain name mapping table. When the client initiates a service access request to the server, the firewall checks the security policy based on the domain name mapping table. In this scenario, DNS request packets from the client must pass through the firewall, as shown in Figure 3-1.
If the DNS request from the client does not pass through the firewall, the firewall cannot resolve the mapping between the domain name and IP address from the DNS response packet. In this case, you need to configure a DNS server on the firewall which initiates a DNS request to obtain the domain name mapping. If the TTL is less than 7 minutes, the firewall initiates a DNS request every 3 minutes to update the domain name mapping table. The domain name resolution results of different DNS servers may vary by geographical location, time zone, and load balancing configuration. Therefore, the DNS server configured on the firewall must be the same as that used by the client.
A domain name mapping table is stored in the memory of a firewall. When the firewall restarts, the domain name mapping table is cleared. The client has recorded the DNS cache and does not initiate a DNS request again. As a result, the firewall cannot obtain the domain name mapping table again. In this case, you also need to configure a DNS server on the firewall.
Considering the possibility of firewall restart, you are advised to configure a DNS server on a firewall regardless of whether a DNS request from the client passes through the firewall.
Configuring a Domain Group
The Windows operating system update scenario is used as an example. The complete configuration of a domain group includes three steps.
1. Configure a domain group. Many domain names are used for Windows operating system update. For details, see Microsoft official documents. The domain name list here is used only as an example and may not be complete.
system-view domain-set name WindowsUpdate description WindowsUpdate add domain windowsupdate.microsoft.com add domain *.windowsupdate.microsoft.com add domain *.update.microsoft.com add domain *.windowsupdate.com add domain download.microsoft.com add domain wustat.windows.com
The domain names added to a domain group can be a specific domain name (download.example.com) or a domain name with a wildcard (*.example.com). The following domain names can match *.example.com:
- www.example.com
- news.example.com
- www.news.example.com
If a wildcard is used, the domain name can contain only one "*" and must start with "*". The supported formats of domain names with a wildcard are listed in the Table 3-1.
Supported Domain Name Format |
Unsupported Domain Name Format |
|---|---|
*.example.com *.a.example.com *.a.b.example.com |
*.com or *.net (too many domain names involved to handle) *.*.example.com (You can use *.example.com instead.) *.example.*.com (Only one wildcard character is allowed.) example.*.com (The wildcard must replace the leftmost label in a domain name.) *example.com or example*.com (The wildcard must replace the entire label of a domain name.) *.a.b.c.example.com (A domain name with a maximum of five labels is valid.) |
2. Configure a DNS server on the firewall. The DNS server must be the same as that used by the client. Here, the Google Public DNS server is used as an example.
system-view dns resolve dns server 8.8.8.8 dns server 8.8.4.4
security-policy rule name "Allow Windows update" source-zone trust destination-zone untrust source-address 10.1.1.10 24 destination-address domain-set WindowsUpdate //Reference the created domain name group. action permit rule-name "Allow DNS" source-zone trust //Allow DNS request packets from the client to pass through the firewall. source-zone local //Allow the firewall to send DNS request packets. destination-zone untrust //Set the zone where the DNS server is located. destination-address address-set 114DNS //Set the destination IP address to that of 114DNS. service dns action permit
<sysname> display domain-set verbose WindowsUpdate Domain-set: WindowsUpdate Description: WindowsUpdate Reference number(s): 1 Item number(s): 6 Item(s): Domain: windowsupdate.microsoft.com ID : 0 Total IP Address: 1 IP Address: 52.185.71.28 TTL : 38400 seconds Left Time : 38400 seconds Hit Times : 1 Domain: *.windowsupdate.microsoft.com ID : 1 Total IP Address: 0 Domain: *.update.microsoft.com ID : 2 Total IP Address: 0 Domain: *.windowsupdate.com ID : 3 Total IP Address: 0 Domain: download.microsoft.com ID : 4 Total IP Address: 0 Domain: wustat.windows.com ID : 5 Total IP Address: 0
Common Causes of Domain Name Resolution Failures
1. DNS requests from clients do not pass through the firewall. Configure the same DNS server on the firewall.
2. The DNS cache exists on the client which does not initiate a DNS request. Clear the DNS cache on the client or firewall.
For the client on the Windows operating system: run the ipconfig /flushdns command.
For the firewall: run the reset dns dynamic-host command.
3. Local domain name resolution is configured in the hosts file on the client. Delete the local domain name.
4. The domain name specified in the domain group uses an alias. Earlier versions of firewalls only support DNS A record type. When a domain group uses an alias, the DNS response packet uses the CNAME record type, and the firewall cannot resolve the final IP address. The latest firewall version supports both DNS A and CNAME record types. Upgrade the firewall to the latest version.