Fully qualified domain name (FQDN) objects contain domain names that you specify in the domain name format. You can use FQDN objects as sources for ingress rules or as destinations for egress rules in a hierarchical firewall policy, global network firewall policy, or regional network firewall policy.
You can combine FQDNs with other parameters. For details about source parameter combinations in ingress rules, see Sources for ingress rules. For details about destination parameter combinations in egress rules, see Destinations for egress rules.
FQDN objects support Cloud DNS response policies, VPC network-scoped managed private zones, Compute Engine internal DNS names, and public DNS zones. This support applies as long as the Virtual Private Cloud (VPC) network doesn't have an outbound server policy that specifies an alternative name server. For more information, see VPC network resolution order.
Map FQDN objects to IP addresses
Cloud Next Generation Firewall periodically resolves FQDN objects to IP addresses. Cloud NGFW follows the Cloud DNS VPC name resolution order in the VPC network that contains the firewall rule's targets.
Cloud NGFW uses the following behavior for IP address resolution:
Support CNAME chasing. Cloud NGFW uses Cloud DNS CNAME chasing if the answer to a FQDN object query is a CNAME record.
Program IP addresses. Cloud NGFW uses the resolved IP addresses when it programs the firewall rules that use FQDN objects. Each FQDN object can be mapped to a maximum of 32 IPv4 addresses and 32 IPv6 addresses.
If the DNS answer for an FQDN object query resolves to more than 32 IPv4 addresses or more than 32 IPv6 addresses, Cloud NGFW limits the programmed IP addresses in the firewall rules to the first 32 IPv4 addresses and the first 32 IPv6 addresses.
Ignore FQDN objects. If Cloud NGFW cannot resolve an FQDN object to an IP address, it ignores the FQDN object. In the following situations, Cloud NGFW ignores an FQDN object:
When
NXDOMAINanswers are received.NXDOMAINanswers are explicit answers from a name server indicating that no DNS record for the FQDN object query exists.When no IP address exists in an answer. In this situation, an FQDN object query doesn't result in an answer with an IP address that Cloud NGFW can use to program a firewall rule.
When Cloud DNS server is unreachable. Cloud NGFW ignores FQDN objects if a DNS server that provides the answer is unreachable.
When an FQDN object is ignored, Cloud NGFW programs the remaining portions of a firewall rule, if possible.
Considerations for FQDN objects
Consider the following for FQDN objects:
Because FQDN objects map to and are programmed as IP addresses, Cloud NGFW uses the following behavior when two or more FQDN objects map to the same IP address. Assume you have the following two firewall rules that apply to the same target:
- Rule 1: priority
100, ingress allow from source FQDNexample1.com - Rule 2: priority
200, ingress allow from source FQDNexample2.com
If both
example1.comandexample2.comresolve to the same IP address, ingress packets from bothexample1.comandexample2.commatch the first firewall rule because this rule has a higher priority.- Rule 1: priority
Considerations for using FQDN objects include the following:
A DNS query can have unique answers based on the location of the requesting client.
DNS answers can be highly variable when a DNS-based load balancing system is involved.
A DNS answer might contain more than 32 IPv4 addresses.
A DNS answer might contain more than 32 IPv6 addresses.
In the preceding situations, because Cloud NGFW performs DNS queries in each region that contains the VM network interface to which the firewall rule applies, the programmed IP addresses in firewall rules don't contain all possible IP addresses associated with the FQDN.
Most Google domain names, such as
googleapis.com, are subject to one or more of these situations. Use IP addresses or address groups instead.Avoid using FQDN objects with DNS
Arecords that have a time to live (TTL) of less than 90 seconds.
Format domain names
FQDN objects must follow the standard FQDN format. This format is defined in RFC 1035, RFC 1123, and RFC 4343. Cloud NGFW rejects FQDN objects that include a domain name that doesn't meet all of the following formatting rules:
Each FQDN object must be a domain name with at least two labels:
- Each label must match a regular expression that includes only these
characters:
[a-z]([-a-z0-9][a-z0-9])?.. - Each label must have a length of 1-63 characters.
- Labels must be concatenated with a dot (.).
Consequently, FQDN objects don't support wildcard characters (
*) or top-level (or root) domain names, such as*.example.com.and.org, because these include only a single label.- Each label must match a regular expression that includes only these
characters:
FQDN objects support Internationalized Domain Names (IDNs). You can supply an IDN in either Unicode or Punycode format. Consider the following:
If you specify an IDN in Unicode format, Cloud NGFW converts it to Punycode format before processing.
You can use the IDN converter to create the Punycode representation of an IDN.
The character limit of 1-63 per label applies to IDNs after conversion to Punycode format.
The encoded length of a fully qualified domain name (FQDN) cannot exceed 255 bytes (octets).
Cloud NGFW doesn't support equivalent domain names in the same firewall
rule. For example, if the two domain names (or Punycode representations of IDNs) differ at most
by a terminal dot (.), Cloud NGFW considers them equivalent.