Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6193 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule won't work with wildcard domains bec. of unable to resolve subdomains

Emin Akbulut

Hi all!

I need to block a few sites and the easiest way is to use wildcarded FQDNs. I've configured a block rule and added FQDN Group as target. Then noticed that the rule won't apply at all.

The rule with *.targetdomain.com target won't be blocked.  I need to add  all the subdomains exactly like mail.targetdomain.com and targetdomain.com, etc.

 

Tha main reason is that the DNS list of wildcarded domain is empty:

 

 

In real there are subdomains including the domain's itself:

 

After a while the subdomain has been resolved. The domain still non-exist:

 

I also noticed you cannot modify FQDN if it has wildcard. It seems like a bug to me.

My unit is XG135 (SFOS 17.5.3 MR-3) 

 

Is it a good way to block targets using wildcarded FQDNs? The best way would be using IP addresses to block. However FQDNs are the easiest, especially wildcarded ones.



This thread was automatically locked due to age.
  • 0

    Hello Emin,

    It seems a missing Reverse DNS setup on root domain and i can say it's not all about you. When you add a root domain from Fqdn Host Sophos XG pings the dns server and asks glue records of any domains present from root dns of domain you added. If it gets the exact answer it shows you the list below

     

    this is why you can see the subdomain after adding manually. And anyway you can block this domain -in case you didn't excluded before- with https decryption because its in financial category.

  • 0 in reply to Eren Ertas

    Ok, got it! Thanks for the reply. Using wildcards is not the best way to shape the traffic, apparently. I'll stick with the exact names. 

  • 0 in reply to Eren Ertas

    Hello Eren

    we've the same issue and actually the reverse lookup works if done either with the firewall "diagnostic" tool or an external dnslookup

    We created a rule to ALLOW traffic to *.domain.com for some devices that reach the main server and gets a list of IP ( registered ) to conenct to  and got the following behavior

    - when a user attach a device that reach the main server ie server.domain.com the rule works and the device  connects

    - the device gets its IP list and try to connect to one IP x.x.x.x which resolves externally to device.vpn.domain.com .
      this is blocked as the firewall is not doing a reverse lookup for x.x.x.x and so the rule is not applied

     

    Any idea ?

    thanks