Fully qualified domain name objects overview

Fully qualified domain name (FQDN) objects let you define firewall rules by using domain names instead of specific IP addresses. This document describes how FQDN objects map to IP addresses and support various Cloud DNS services:

This document is intended for network administrators and security engineers who configure and manage firewall policies.

To use FQDN objects, the Virtual Private Cloud (VPC) network can't use an outbound server policy with an alternative name server. For more information, see VPC network resolution order.

Map FQDN objects to IP addresses

Cloud Next Generation Firewall periodically resolves FQDN objects to IP addresses. Cloud NGFW follows the Cloud DNS VPC name resolution order in the VPC network that contains the firewall rule's targets.

Cloud NGFW uses the following behavior for IP address resolution:

  • Support CNAME chasing. Cloud NGFW uses Cloud DNS CNAME chasing if the answer to a FQDN object query is a CNAME record.

  • Program IP addresses. Cloud NGFW uses the resolved IP addresses when it programs the firewall rules that use FQDN objects. Each FQDN object can be mapped to a maximum of 32 IPv4 addresses and 32 IPv6 addresses.

    If the DNS answer for an FQDN object query resolves to more than 32 IPv4 addresses or more than 32 IPv6 addresses, Cloud NGFW limits the programmed IP addresses in the firewall rules to the first 32 IPv4 addresses and the first 32 IPv6 addresses.

  • Ignore FQDN objects. If Cloud NGFW cannot resolve an FQDN object to an IP address, it ignores the FQDN object. In the following situations, Cloud NGFW ignores an FQDN object:

    • When NXDOMAIN answers are received. NXDOMAIN answers are explicit answers from a name server indicating that no DNS record for the FQDN object query exists.

    • When no IP address exists in an answer. In this situation, an FQDN object query doesn't result in an answer with an IP address that Cloud NGFW can use to program a firewall rule.

    • When Cloud DNS server is unreachable. Cloud NGFW ignores FQDN objects if a DNS server that provides the answer is unreachable.

    When an FQDN object is ignored, Cloud NGFW programs the remaining portions of a firewall rule, if possible.

Considerations for FQDN objects

Consider the following for FQDN objects:

  • You can combine FQDNs with other parameters. For details about source parameter combinations in ingress rules, see Sources for ingress rules. For details about destination parameter combinations in egress rules, see Destinations for egress rules.

  • Because FQDN objects map to and are programmed as IP addresses, Cloud NGFW uses the following behavior when two or more FQDN objects map to the same IP address. Assume you have the following two firewall rules that apply to the same target:

    • Rule 1: priority 100, ingress allow from source FQDN example1.com
    • Rule 2: priority 200, ingress allow from source FQDN example2.com

    If both example1.com and example2.com resolve to the same IP address, ingress packets from both example1.com and example2.com match the first firewall rule because this rule has a higher priority.

  • Considerations for using FQDN objects include the following:

    • A DNS query can have unique answers based on the location of the requesting client.

    • DNS answers can be highly variable when a DNS-based load balancing system is involved.

    • A DNS answer might contain more than 32 IPv4 addresses.

    • A DNS answer might contain more than 32 IPv6 addresses.

    In the preceding situations, because Cloud NGFW performs DNS queries in each region that contains the VM network interface to which the firewall rule applies, the programmed IP addresses in firewall rules don't contain all possible IP addresses associated with the FQDN.

    Most Google domain names, such as googleapis.com, are subject to one or more of these situations. Use IP addresses or address groups instead.

  • Avoid using FQDN objects with DNS A records that have a time to live (TTL) of less than 90 seconds.

Format domain names

FQDN objects must follow the standard FQDN format. This format is defined in RFC 1035, RFC 1123, and RFC 4343. Cloud NGFW rejects FQDN objects that include a domain name that doesn't meet all of the following formatting rules:

  • Each FQDN object must be a domain name with at least two labels:

    • Each label must match a regular expression that includes only these characters: [a-z]([-a-z0-9][a-z0-9])?..
    • Each label must have a length of 1-63 characters.
    • Labels must be concatenated with a dot (.).

    Consequently, FQDN objects don't support wildcard characters (*) or top-level (or root) domain names, such as *.example.com. and .org, because these include only a single label.

  • FQDN objects support Internationalized Domain Names (IDNs). You can supply an IDN in either Unicode or Punycode format. Consider the following:

    • If you specify an IDN in Unicode format, Cloud NGFW converts it to Punycode format before processing.

    • You can use the IDN converter to create the Punycode representation of an IDN.

    • The character limit of 1-63 per label applies to IDNs after conversion to Punycode format.

  • The encoded length of a fully qualified domain name (FQDN) cannot exceed 255 bytes (octets).

Cloud NGFW doesn't support equivalent domain names in the same firewall rule. For example, if the two domain names (or Punycode representations of IDNs) differ at most by a terminal dot (.), Cloud NGFW considers them equivalent.

What's next