USG310 - 4.62(AAPJ.0): Wildcard FDQN seems not to be working for routing!

cfts_ea
cfts_ea Posts: 19  Freshman Member
First Comment Fifth Anniversary
edited April 2021 in Security
I have been trying to get Wildcard FDQN's working in routing with mixed results right now I'm having to list domains and sub-domains and it's getting quite tedious.

for example, I wish to allow/redirect all traffic to *.fbcdn.com to another link, I have this working listing each and every domain/subdomain, however, the wild card option seems not to be working.





I have made the appropriate wild cards but as said these seem not to work, Is it possible for someone to advise how I'm supposed to use this feature?


Best Answers

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2021 Answer ✓

    Ok something to keep in mind about Wildcard FDQN vs non-Wildcard FDQN as non-wildcard are looked up by the USG and Wildcard FDQN are found by DNS lookups done to the USG or though the USG so if a client uses say Firefox with DNS over HTTPS the USG will not see the lookups.


  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    So you got clients connect by VPN to the USG?

    Can you not run a bind server where DNS is in the clear? 

All Replies

  • cfts_ea
    cfts_ea Posts: 19  Freshman Member
    First Comment Fifth Anniversary
    edited March 2021
    a small correction: for example, I wish to allow/redirect all traffic to *.fbcdn.com to another link, I have this working listing each and every domain/subdomain, however the wild card option seems not to be working.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2021 Answer ✓

    Ok something to keep in mind about Wildcard FDQN vs non-Wildcard FDQN as non-wildcard are looked up by the USG and Wildcard FDQN are found by DNS lookups done to the USG or though the USG so if a client uses say Firefox with DNS over HTTPS the USG will not see the lookups.


  • cfts_ea
    cfts_ea Posts: 19  Freshman Member
    First Comment Fifth Anniversary
    edited March 2021
    PeterUK said:

    Ok something to keep in mind about Wildcard FDQN vs non-Wildcard FDQN as non-wildcard are looked up by the USG and Wildcard FDQN are found by DNS lookups done to the USG or though the USG so if a client uses say Firefox with DNS over HTTPS the USG will not see the lookups.


    Thank you, all DNS lookups are routed through VPN then to a SDNS (DOH) server on our side, So I'm guessing they're no way for me to resolve this easily.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    So you got clients connect by VPN to the USG?

    Can you not run a bind server where DNS is in the clear? 
  • cfts_ea
    cfts_ea Posts: 19  Freshman Member
    First Comment Fifth Anniversary
    edited March 2021
    PeterUK said:
    So you got clients connect by VPN to the USG?

    Can you not run a bind server where DNS is in the clear? 
    Thanks, I set up a raspberry pi with a Commercial grade VPN, Pihole and DNSCrypt works a treat, complements the USG very nicely.

    https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
    https://github.com/pi-hole/pi-hole

Security Highlight