When enterprises provide services externally through domain names, configuring fine-grained domain Access Control rules is a critical step to ensure the security of business traffic. CFW offers multiple matching modes for this purpose, catering to diverse boundary scenarios and security requirements. Currently, CFW supports the following matching modes:
|
FQDN matching | Matching based on the Host header field in the application-layer packets or the SNI extension field. |
DNS resolution matching | For domain names configured in dynamic resolution rules, only check whether the destination IP address of the access belongs to the current DNS resolution results of the domain name. |
Loose matching | If the request meets the FQDN matching rules, or the client IP address of the access belongs to any of the IP addresses in the current DNS resolution results of the domain name, the access will be matched as long as either condition is met. |
Strict matching | The access will be matched only if it meets the FQDN matching rules and the client IP address belongs to any of the IP addresses in the current DNS resolution results of the domain name. Both conditions must be satisfied simultaneously. |
The aforementioned matching methods are essentially based on two core resolution technologies: FQDN direct identification and DNS dynamic resolution. The following section details these two domain name identification modes.
FQDN Direct Identification
Feature
FQDN direct identification performs traffic control based on the domain name in the access request, directly matches the domain name string, and does not verify the actual IP address resolved from the domain name.
When traffic transits through the firewall, the system inspects the domain information in the request (such as the Host field in the HTTP header) and determines whether to allow the traffic based on predefined rules.
Configuration Specification
|
Protocol support | HTTP / HTTPS,HTTP,HTTPS,SMTP / SMTPS,SMTP,SMTPS,DNS. |
Input rule | Non-DNS protocols: Support mixed input of IP addresses and domain names (multiple entries separated by commas). IP addresses do not support CIDR notation or wildcards. DNS protocol: Only domain name input is supported. |
Domain format | Standard domain names (www.example.com) and wildcard format (*.example.com). |
Scenario
Implementing granular Access Control based on domain content for application-layer protocols such as HTTP, HTTPS, and SMTP.
It can combine with DNS dynamic resolution to form loose or strict matching, addressing complex scenarios and enhancing rule hit rate and business continuity.
Restriction Description
Only applies to application-layer protocols that support Host or SNI fields.
FQDN direct recognition is based on Content Recognition and does not rely on the IP address resolved from the domain name. For example, a rule allowing app.example.com does not affect other services accessing the resolved IP address directly.
DNS Dynamic Resolution
Feature
DNS dynamic resolution implements Access Control by associating domain names with IP addresses in real time. It does not rely on application-layer protocols, rules automatically take effect as domain resolution IPs change, and supports a wide range of TCP/UDP protocol traffic.
Configuration Specification
|
Protocol support | With no restriction on application types, it is applicable to any IP address-based TCP/UDP traffic. |
Parsing Method | CFW integrates domain name dynamic resolution capabilities, supporting DNS resolution for domain names and presenting the resolution results (IP address lists) in a visualized manner. Leveraging this capability, users can directly configure domain names in Access Control rules, and the firewall will automatically enforce Access Control on the resolved IP addresses (up to 1000 IP addresses per domain). Currently, the system provides two DNS resolution methods to accommodate different scenario requirements: Default DNS resolution: uses the default DNS server addresses provided by Tencent Cloud 183.60.82.98 and 183.60.83.19. Applies to all firewall types without additional configuration. Custom DNS resolution: Users can manually configure custom DNS resolution server addresses. This is used when a particular DNS server is specified for domain name resolution. Only NAT Border Rules support custom DNS resolution configuration, which can be set under: a. Log in to the CFW console, choose Firewall Toggle > NAT Firewall in the left sidebar. b. On the NAT Boundary page, select the instance requiring custom DNS resolution, choose More > Network configuration > Configure DNS Resolution . c. On the Configure Resolution DNS interface, enter the custom resolution DNS and custom backup DNS, then click OK. |
Record support | Supports A records, AAAA records, and CNAME records to resolve domain names. |
Input rule | Access Target only supports entering standard domain names (such as www.example.com), and does not support wildcard domains (such as *.example.com) or directly entering IP addresses or CIDR blocks. |
Scenario
For services with dynamically changing IPs, such as managing access to CDN and cloud platform load balancers (CLB) with non-fixed IP addresses, the rules automatically update following DNS resolution results.
Implementing domain-based Access Control for non-HTTP/HTTPS generic TCP/UDP services such as database access and custom API interfaces.
It can combine with FQDN direct identification to form loose or strict matching, to address complex scenarios and enhance rule hit rate and business continuity.
Restriction Description
The impact of multiple domains sharing the same IP address: If multiple domains resolve to the same IP address, any allow rule targeting one domain will permit all traffic accessing that IP address. For example, if example.com (resolving to IP 1.1.1.1) is allowed, and another.com also resolves to 1.1.1.1, traffic accessing another.com will also be unintentionally allowed.
Rules based on DNS resolution consume firewall quota, and rule updates depend on the DNS resolution cycle (CFW rules automatically update approximately every 1 minute), resulting in a certain delay.
Reference