Overview

Instead of specifying an address object to be an IP address, it can instead be specified as an FQDN (for example: server1.example.com). cOS Stream will then automatically resolve the FQDN to an IP address at runtime if the FQDN address object is referenced by another configuration object.

Specifying FQDN Address Objects

An FQDN address object is created by assigning the FQDN value to the IP property of an IPAddress object:

System:/> add Address IPAddress my_fqdn_ip Address=server.example.com

The requirement for DNS resolution of an FQDN can also be written explicitly:

System:/> add Address IPAddress my_fqdn_ip Address=dns:server.example.com

Instead of the FQDN, just the domain name could be used but it requires the dns: prefix:

System:/> add Address IPAddress my_fqdn_ip Address=dns:example

The dns: Prefix Disables Format Checking

The dns: prefix seen in the examples above has a secondary function which is to turn off format checking of the FQDN. Without the prefix, cOS Stream will reject any FQDN that appears to be malformed, for example, because of unusual characters. Using the dns: prefix will force cOS Stream to accept any string value.

Only IPRule Objects Can Use FQDN Address Objects

Currently, only IPRule objects can contain a reference to an FQDN address object.

It should be noted that as with any IPRule, it is not possible to have only IPv4 addresses on one side (source or destination) of the rule and only IPv6 addresses on the other side (destination or source). However, since FQDN resolution occurs at runtime, an FQDN address object may become an IP address type that contravenes this rule. If this happens there will a configuration error and the IPRule will be disabled with the following warning message generated:

   Inconsistent IP versions for source and destination IP Addresses

Direct FQDN Address References

It is possible to use FQDN address references in an IPRule object without first creating an intermediate IPAddress object. For example, consider the following addition of an IPRule that allows flows to server.example.com:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=any
			DestinationNetwork=dns:server.example.com
			Service=all_services
			Name=deny_lan_to_example
			Action=Allow

Here, the FQDN can be specified using the same rules that are described earlier for creating FQDN address objects.

FQDN Resolution Requires a Configured DNS Server

For FQDN address objects to function correctly, at least one external DNS server must be configured in cOS Stream by creating at least one DNS Server object in the cOS Stream configuration. For a description of configuring DNS servers in cOS Stream, see Chapter 12, DNS

The DNS Lookup Should Be Consistent

The administrator should ensure that the DNS lookup used for FQDN address objects referenced by IPRule objects returns the same results as the DNS lookup used by hosts that are affected by those policies. The best way to do this is to ensure that cOS Stream is using the same DNS server as the hosts it is protecting.

FQDN Address Object Activation Triggers FQDN Resolution

cOS Stream will try to perform the DNS resolution of FQDN address objects when a configuration is activated. This will happen even if no other object has a reference to the FQDN object.

If no DNS server is configured, cOS Stream will generate a warning when attempting to deploy a configuration with a reference to an FQDN address object.

FQDN Address Objects Can Store Multiple IPs

Depending on the FQDN, the DNS lookup can return both IPv4 and IPv6 addresses and there can up to 8 IPs of each type (16 in total) stored in the cache for a single FQDN.

FQDN Address Caching

cOS Stream uses a DNS cache to ensure that the same FQDN does not need to be resolved every time it is referenced. The current cache contents can be examined using the following command:

System:/> dns -list

However, a better method of displaying all the IP addresses being used for a particular FQDN address object is to display the full object properties:

System:/> show Address IPAddress <fqdn-address-object>

Alternatively, the netobjects command can be used:

System:/> netobjects <fqdn-address-object>

Cache Lifetimes

FQDN address objects differ to other types of cached DNS entries in that when the entry's TTL (Time To Live) expires, cOS Stream will refresh the cache entry by issuing a new DNS query. Setting the global minimum TTL and maximum TTL value is described in Chapter 12, DNS.

The global DNS object property called FQDNValidAfterTTLDefault is used only for FQDN address objects and it determines the minimum amount of time after the TTL has expired that an entry will stay in the cache. It has a default value of 86,400 seconds (one day). This can be relevant for consecutive DNS queries for the same FQDN which return different IP addresses because it ensures the multiple addresses will coexist.

The value of FQDNValidAfterTTLDefault can be overridden for an individual address object by setting the object's FQDNValidAfterTTL property:

System:/> add Address IPAddress my_fqdn_ip
			Address=server.example.com
			FQDNValidAfterTTL=15000