Cloud Firewall:How a domain name-based access control policy works

Introduction to domain name identification modes

When you specify a domain name or a domain address book as the destination in an outbound access control policy for the Internet firewall, NAT firewall, or VPC firewall, you can use the following domain name identification modes: FQDN-based Dynamic Resolution (Extract Host and SNI Fields), DNS-based dynamic resolution, and FQDN and DNS-based dynamic resolution.

• FQDN-based resolution

  If the application type of traffic is HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, or IMAPS, Cloud Firewall extracts fields such as the Host field in HTTP packets or the SNI field in HTTPS packets to implement access control on a domain name.

• DNS-based dynamic resolution

  This mode does not restrict the application type. Cloud Firewall supports DNS-based dynamic resolution for domain names and displays the resolved IP addresses. Cloud Firewall can implement access control on these IP addresses. A domain name can be resolved to up to 500 IP addresses.

  Cloud Firewall integrates the following DNS resolution methods:

  • Default DNS resolution

    This method uses Alibaba Cloud DNS Private DNS. The IP addresses of the Alibaba Cloud DNS Private DNS server are 100.100.2.136 and 100.100.2.138.

  • Private DNS resolution

    You can add the Alibaba Cloud DNS Private DNS server and self-managed DNS servers to Cloud Firewall. This facilitates the security management of access control policies that are created based on private DNS services to meet the service-oriented and application-oriented development trends in the cloud.

    If your private DNS server is the Alibaba Cloud DNS Private DNS server, the default IP addresses of the private DNS server are 100.100.2.136 and 100.100.2.138. You must also add DNS records. A domain name is resolved to IP addresses based on the DNS records that you add.

    If your private DNS server is a self-managed DNS server and uses a public IP address, you must make sure that your business VPC has a NAT gateway to allow the created synchronization node to access the DNS server. If your private DNS server uses a private IP address, you must make sure that the business VPC and the DNS server can communicate with each other, and the created synchronization node can access the DNS server.

    To add a private DNS server, you must create a synchronization node in the Cloud Firewall console. For more information, see Private DNS.

• FQDN and DNS-based dynamic resolution

  If the application type of traffic is HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, or IMAPS, Cloud Firewall prioritizes identifying the Host or SNI field in the traffic, combined with DNS dynamic resolution results. If either match is successful, the domain name condition is considered met for access control. This mode is suitable for applications that select one of the seven application types mentioned above, but some or all of the traffic does not carry the HOST/SNI field.

Usage notes on domain name-based access control policies

When you configure an access control policy and set the destination to a domain name, take note of the following items:

• DNS resolution is not supported in the following scenarios:

  • The access control policy is configured for inbound traffic on the Internet boundary. DNS resolution is supported only for access control policies that are configured for outbound traffic on the Internet boundary.

  • The destination is a wildcard domain name. Example: *.example.com. A wildcard domain name cannot be resolved to a specific IP address.

  • Domain Address Books is selected for the destination type, and the specified domain address book includes a wildcard domain name.

    If an exact-match domain address book is referenced by an access control policy, and a domain name identification mode is specified in the policy, you cannot add a wildcard domain name to the domain address book.

• DNS Domain Name Resolution Policy Usage:

  You can configure access control policies whose Destination Type is Domain Name for the Internet firewall, VPC firewalls, and NAT firewalls. The quota consumed by such access control policies in which Domain Name Identification Mode is set to DNS-based Dynamic Resolution or set to FQDN and DNS-based Dynamic Resolution is calculated by tier on each firewall boundary.

  If the total quota consumed by such access control policies on a firewall boundary is less than or equal to 200, the actual consumed quota is the total quota. If the total quota consumed by such access control policies on a firewall boundary is greater than 200, the actual consumed quota is calculated based on the following formula: Actual consumed quota = 200 + (Excess quota × 10).

  For example, you configured an access control policy on the Internet boundary. The destination address of the policy is aliyun.com, the domain name identification mode of the policy is DNS-based dynamic resolution, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy whose domain name identification mode is DNS-based dynamic resolution and the quota that is consumed by the policy is 16, the total quota consumed by the two policies is calculated based on the following formula: 200 + (185 + 16 - 200) × 10 = 210.

  For more information about how to calculate the quota that is consumed by an access control policy, see Quota consumed by access control policies.

• If a request is initiated from an Elastic Compute Service (ECS) instance to an external domain name, the DNS server whose IP addresses are 100.100.2.136 and 100.100.2.138 is used by default. If you want to configure custom DNS resolution settings, you must add a self-managed DNS server or the Alibaba Cloud DNS Private DNS server.

• If multiple domain names are resolved to the same IP address, access control performance may be affected.

  For example, you configure an access control policy to allow HTTP traffic that is destined for the domain name example.aliyundoc.com. If the A record of the domain name example.aliyundoc.com is 1.1.XX.XX, the HTTP traffic that is destined for 1.1.XX.XX is allowed. If the A record of the domain name demo.aliyundoc.com is also 1.1.XX.XX, the HTTP traffic that is destined for demo.aliyundoc.com is also allowed.

• If the IP addresses to which a domain name is resolved change, Cloud Firewall uses the new IP addresses to automatically update the access control policy.

  Cloud Firewall automatically updates access control policies every 5 minutes.

  If the IP address to which the domain name example.aliyundoc.com is resolved changes from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy. This way, the policy takes effect on the IP address 2.2.XX.XX. The access control policy always takes effect on the IP address to which the domain name is dynamically resolved.

  Note

  For scenarios that involve frequently updated domain names, such as CDN domain names, you can combine DNS domain name resolution policies with access control policies that use the FQDN-based and Both FQDN And DNS-based Dynamic Resolution identification modes to improve the policy hit rate.

References

• For more information about how to create a synchronization node for a private DNS server, see Private DNS.

• For more information about access control policies, see Overview of access control policies.

• For more information about how an access control policy works, see How an access control policy works.

• For more information about the modes of the access control engine, see Configure the mode of the access control engine.