USG FLEX H Series - FQDN Address Object
Zyxel Employee
The latest uOS firmware introduces a highly requested feature for network security: Fully Qualified Domain Name (FQDN) address objects. This enhancement allows dynamic IP address resolution for domain-based filtering in firewall policies, simplifying control over traffic to frequently changing domains services.
What is an FQDN Address Object?
An FQDN Address Object enables the firewall to identify and filter traffic by domain name, dynamically resolving and updating IP addresses associated with that domain. This is useful for blocking or allowing access to online services that regularly update their IPs, such as public cloud services, making it much easier to manage without manually updating IP lists.
Key Benefits of FQDN Address Objects
- Dynamic IP Resolution: Automatically updates the IPs associated with a domain as they change, which is essential for services with frequently rotating IPs.
- Enhanced Security Control: Enables more precise security policies, filtering traffic by domain rather than fixed IP addresses.
- Simplifies Policy Management: No need to manually update IP addresses in firewall rules; the firewall will maintain an updated IP list for each domain.
How FQDN Works in Firewall Policies
The FQDN feature allows for domain-based filtering within the firewall's security policies. Here’s how it functions:
- Automatic IP Discovery: When a client tries to access a domain (e.g., example.com), the firewall captures the DNS-resolved IP and saves it in the FQDN cache.
- Two-minute Refresh: The firewall checks and updates the FQDN cache every two minutes or when the cache's TTL (Time-To-Live) expires.
- Wildcard Support: Wildcard FQDN objects (e.g., *.example.com) are supported, allowing more flexible rules for subdomains.
Special Considerations for FQDN Objects
- Client has local DNS Record:
- The client does not send DNS queries, but the Firewall can actively query the address and block traffic.
- Handling Encrypted DNS (DoH and DoT):
- DNS over HTTPS (DoH) and DNS over TLS (DoT) encryption can obscure DNS requests from the firewall.
- In these cases, the firewall itself performs the FQDN lookups to ensure proper domain resolution.
- Wildcard FQDN Objects:
- Wildcard entries (e.g., *.example.com) are supported, but the firewall may not actively query subdomains. Instead, it will update by sniffing the client's DNS queries.
Comparing FQDN Object Behavior on Different Series
- H-Series: FQDN caching can be configured to never expire, ensuring persistent entries if required by the security setup.
- Zyxel ATP and USG Series: These devices automatically refresh FQDN entries based on TTL without an option to disable expiration.
The FQDN Address Object feature in uOS brings flexible, domain-based filtering and is invaluable for managing access to IP-dynamic services. This update enhances both security and ease of management, especially for organizations using cloud and external services where IPs frequently change.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight