Home PageCloud Firewallcloud firewallUser GuideProtection ConfigurationAccess ControlHow a domain name-based access control policy works
Search for Help Content

How a domain name-based access control policy works

Updated at: 2024-12-12 07:00
Community

If the service or application of your enterprise is accessed by using a domain name, you must configure domain name-based access control policies to improve the security of business traffic. This topic describes the domain name identification modes that are supported by Cloud Firewall and domain name-based access control policies.

Introduction to domain name identification modes

If you specify a domain name or a domain address book as the destination in an inbound or outbound access control policy that is created for the Internet firewall or a virtual private cloud (VPC) firewall of Cloud Firewall, you can use the following domain name identification modes for the policy: FQDN-based resolution (extracting the Host or SNI field in packets), DNS-based dynamic resolution, and FQDN and DNS-based dynamic resolution. FQDN is short for fully qualified domain name, DNS is short for Domain Name System, and Server Name Indication is short for SNI.

image

  • FQDN-based resolution (Layer 7)

    If the application type of traffic is HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall extracts the Host or SNI field of the traffic to implement access control on a domain name.

  • DNS-based dynamic resolution (Layer 4)

    Cloud Firewall supports DNS-based dynamic resolution for domain names and displays the IP addresses that are resolved. Cloud Firewall can implement access control on the IP addresses. A domain name can be resolved to up to 500 IP addresses. This mode does not support wildcard domain names.

    Cloud Firewall integrates the following DNS resolution methods:

    • Default DNS resolution

      This method uses Alibaba Cloud DNS Private DNS. The IP addresses of the Alibaba Cloud DNS Private DNS server are 100.100.2.136 and 100.100.2.138.

    • Private DNS resolution

      You can add the Alibaba Cloud DNS Private DNS server and self-managed DNS servers to Cloud Firewall. This facilitates the security management of access control policies that are created based on private DNS services to meet the service-oriented and application-oriented development trends in the cloud.

      If your private DNS server is the Alibaba Cloud DNS Private DNS server, the default IP addresses of the private DNS server are 100.100.2.136 and 100.100.2.138. You must also add DNS records. A domain name is resolved to IP addresses based on the DNS records that you add.

      If your private DNS server is a self-managed DNS server and uses a public IP address, you must make sure that your business VPC has a NAT gateway to allow the created synchronization node to access the DNS server. If your private DNS server uses a private IP address, you must make sure that the business VPC and the DNS server can communicate with each other, and the created synchronization node can access the DNS server.

      To add a private DNS server, you must create a synchronization node in the Cloud Firewall console. For more information, see Manage synchronization nodes.

  • FQDN and DNS-based dynamic resolution

    If you manage traffic whose application type is HTTP, HTTPS, SMTP, SMTPS, or SSL and specific or all traffic does not include the HOST or SNI field, we recommend that you use this mode. This mode takes effect only if the access control engine is in strict mode.

Usage notes on domain name-based access control policies

When you configure an access control policy and set the destination to a domain name, take note of the following items:

  • DNS resolution is not supported in the following scenarios:

    • The access control policy is configured for inbound traffic on the Internet boundary. DNS resolution is supported only for access control policies that are configured for outbound traffic on the Internet boundary.

    • The destination is a wildcard domain name. Example: *.example.com. A wildcard domain name cannot be resolved to a specific IP address.

    • Domain Address Books is selected for the destination type, and the specified domain address book includes a wildcard domain name.

      If an exact-match domain address book is referenced by an access control policy, and a domain name identification mode is specified in the policy, you cannot add a wildcard domain name to the domain address book.

  • Quota consumed by domain name-based access control policies:

    You can configure access control policies whose Destination Type is Domain Name for the Internet firewall, VPC firewalls, and NAT firewalls. The quota consumed by such access control policies in which Domain Name Identification Mode is set to DNS-based Dynamic Resolution or set to FQDN and DNS-based Dynamic Resolution is calculated by tier on each firewall boundary.

    If the total quota consumed by such access control policies on a firewall boundary is less than or equal to 200, the actual consumed quota is the total quota. If the total quota consumed by such access control policies on a firewall boundary is greater than 200, the actual consumed quota is calculated based on the following formula: Actual consumed quota = 200 + (Excess quota × 10).

    For example, you configured an access control policy on the Internet boundary. The destination address of the policy is aliyun.com, the domain name identification mode of the policy is DNS-based dynamic resolution, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy whose domain name identification mode is DNS-based dynamic resolution and the quota that is consumed by the policy is 16, the total quota consumed by the two policies is calculated based on the following formula: 200 + (185 + 16 - 200) × 10 = 210.

    For more information about how to calculate the quota that is consumed by an access control policy, see Quota consumed by access control policies.

  • If a request is initiated from an Elastic Compute Service (ECS) instance to an external domain name, the DNS server whose IP addresses are 100.100.2.136 and 100.100.2.138 is used by default. If you want to configure custom DNS resolution settings, you must add a self-managed DNS server or the Alibaba Cloud DNS Private DNS server.

  • If multiple domain names are resolved to the same IP address, access control performance may be affected.

    For example, you configure an access control policy to allow HTTP traffic that is destined for the domain name example.aliyundoc.com. If the A record of the domain name example.aliyundoc.com is 1.1.XX.XX, the HTTP traffic that is destined for 1.1.XX.XX is allowed. If the A record of the domain name demo.aliyundoc.com is also 1.1.XX.XX, the HTTP traffic that is destined for demo.aliyundoc.com is also allowed.

  • If the IP addresses to which a domain name is resolved change, Cloud Firewall uses the new IP addresses to automatically update the access control policy.

    Cloud Firewall automatically updates access control policies every 5 minutes.

    If the IP address to which the domain name example.aliyundoc.com is resolved changes from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy. This way, the policy takes effect on the IP address 2.2.XX.XX. The access control policy always takes effect on the IP address to which the domain name is dynamically resolved.

References

Previous: Configure the mode of the access control engineNext: Configure access control policies
  • On this page (1, T)
  • Introduction to domain name identification modes
  • Usage notes on domain name-based access control policies
  • References
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare