Cloud Firewall allows you to specify domain names as destinations for outbound traffic in access control policies. Cloud Firewall resolves domain names, displays resolution results, and controls the access to IP addresses that are mapped to the domain names. This topic describes how to configure an outbound access control policy for a domain name.
Background information
Cloud Firewall uses dynamic DNS resolution to optimize outbound access control policies for domain names. You can view the IP addresses that are mapped to the destination domain names and manually update the IP addresses.
If the destination in an outbound access control policy is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. A domain name can be resolved to up to 500 IP addresses. However, if the protocol type is set to TCP and the application type is set to HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall does not implement domain name resolution or access control.
- If the application type is HTTP or SMTP, Cloud Firewall first uses the host field to implement access control for domain names.
- If the application type is HTTPS, SMTPS, or SSL, Cloud Firewall first uses the SNI field to implement access control for domain names.
- If any application type other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall resolves the domain names and implements access control. You can view the resolution results, which are the IP addresses mapped to the domain names.
Limits
Cloud Firewall does not apply access control policies for domain names in the following scenarios:
- Access control policies are configured for inbound traffic.
Only access control policies for outbound traffic are supported.
- The destination is a wildcard domain name. Example: *.example.com.
- Domain Address Books is selected for the destination type
- The default DNS server (ADNS) is used to resolve the external domain names that an ECS instance requests. DNS servers cannot be customized. If you change the DNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.
- If multiple domain names are mapped to the same IP address, access control may be
compromised.
For example, assume that you want to configure an access control policy to allow FTP traffic destined for the domain name example1.aliyun.com. If the A record for the domain name example1.aliyun.com is 1.*.*.1, the FTP traffic destined for 1.*.*.1 is allowed. If the A record for the domain name example2.aliyun.com is also 1.*.*.1, the FTP traffic destined for example2.aliyun.com is also allowed.
- If the IP addresses mapped to a domain name are changed, Cloud Firewall uses the up-to-date
IP addresses and automatically updates the access control policy for the domain name.
If the IP address mapped to the domain name example1.aliyun.com is changed from 1.*.*.1 to 2.*.*.2, Cloud Firewall automatically updates the access control policy for the domain name. Cloud Firewall uses the IP address 2.*.*.2 to ensure that the access control policy takes effect as expected. Cloud Firewall automatically updates the access control policy every 30 minutes, which means that a resolution record change is applied to the access control policy in 30 minutes.
If you need to update your access control policy based on dynamic resolution records, click DNS on the policy editing page to manually trigger DNS resolution and obtain the up-to-date IP addresses. Then, click OK to save the policy updates.