FQDN support for Edge Firewall ACL rules and lists

Overview

F5 BIG-IP Next Cloud-Native Network Function (CNF) Edge Firewall lets you use Fully Qualified Domain Names (FQDNs) as source and destination matching criteria in access control list (ACL) rules. This means you can write firewall rules that reference domain names instead of IP addresses.

When you specify an FQDN in a rule, CNF Edge Firewall resolves it to one or more IP addresses. The firewall then matches traffic against those resolved addresses automatically.

Use FQDN-based rules to:

  • Allow or deny access to cloud service endpoints such as Amazon S3 buckets, Azure APIs, or Google Cloud Platform (GCP) resources that use domain names instead of static IP addresses.

  • Allow or deny access to remote APIs that require FQDN-based authentication endpoints.

  • Block lists of known malicious domains.

Key concepts

How FQDN resolution works in ACL rules

When you add an FQDN to an ACL rule, the firewall does not match traffic against the domain name directly. Instead, it resolves the FQDN to a set of IP addresses and matches traffic against those addresses.

For example, consider the following rule:

- name: Allow_from_NS1_to_NS2
  action: accept
  source:
    fqdns:
      - "www.somehost.org"
  destination:
    fqdns:
      - "www.f5.com"

This rule allows traffic where:

  • The source IP address matches any address resolved for www.somehost.org.

  • The destination IP address matches any address resolved for www.f5.com.

The firewall treats this as if you had written a rule that lists the resolved IP addresses directly. When the resolved addresses change, the firewall updates its rules automatically.

FQDN resolver

A single, global FQDN resolver handles domain name resolution for all CNF security features. The resolver shares a global lookup table across all policies that use FQDNs.

Key details about the resolver:

  • Global entry limit: You can use a maximum of 256 unique FQDN entries across all security policies.

  • Refresh behavior: The resolver uses the time-to-live (TTL) value from the DNS response to decide how often to re-resolve each FQDN.

  • Shared resolver: The same resolver and lookup table support FQDN entries in ACL rules, IP Intelligence (IPI) policies, and other security features that use FQDNs.

High-speed logging

High-speed logging (HSL) messages include the source and destination FQDNs when available. If FQDN information is not available, the log entry shows the string unknown.

The unknown value appears in two situations:

  • The ACL policy does not contain any FQDN entries, so FQDN resolution is not active.

  • The FQDN has not been resolved yet, or the resolution failed.

Before you begin

Before you configure FQDN-based ACL rules, make sure the following prerequisites are met:

  • DNS resolver configured: You must configure a DNS resolver using the F5BigDnsZone CustomResourceDefinition (CRD) before you add FQDNs to ACL rules.

  • DNS server reachable: CNF must have network connectivity to the DNS server defined in your F5BigDnsZone configuration.

  • FQDN limit: Your total FQDN entries across all security policies must not exceed 256 unique entries.

Configure FQDN-based ACL rules

Step 1: Configure the DNS resolver

Set up the global FQDN resolver by creating an F5BigDnsCache resource with the cacheType: net-resolver. The DNS resolver for the FQDN feature is configured using the security-fqdn-dns-resolver named object. This creates and installs an empty CR object, by default. You must edit the CR object to configure a DNS resolver and DNS Zones specific to your setup.

Important: This feature does not work by default. You must configure a DNS resolver for the FQDN feature to work.

# Example security-fqdn-dns-resolver configuration

kubectl edit f5-big-dns-caches.k8s.f5net.com/security-fqdn-dns-resolver

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsCache
metadata:
  name: security-fqdn-dns-resolver
spec:
  cacheType: net-resolver
  netResolver:
    forwardZones:
    - forwardZone: abc.com
      nameServers:
      - ipAddress: a.b.c.d #internal dns server
        port: 53
    - forwardZone: xyz.com
      nameServers:
      - ipAddress: w.x.y.z #dns server
        port: 53

If required, you can also configure static routes to reach the DNS servers configured in the f5-big-dns-caches.k8s.f5net.com/security-fqdn-dns-resolver as follows:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNetStaticroute
metadata:
  name: "route-dns-resolver"
spec:
  destination: "10.10.10.9"
  prefixLen: 32
  gateway: "10.10.10.1"

Step 2: Add FQDNs to your ACL rules

Add the fqdns field to the source, destination, or both sections of your firewall rule definition. The fqdns field accepts an array of strings, where each string is a valid domain name.

Example: Allow traffic between two domains

- name: Allow_from_NS1_to_NS2
  action: accept
  source:
    fqdns:
      - "www.somehost.org"
  destination:
    fqdns:
      - "www.f5.com"

Example: Deny traffic to a list of malicious domains

- name: Block_malicious_domains
  action: deny
  destination:
    fqdns:
      - "malicious-site-1.example.com"
      - "malicious-site-2.example.com"

FQDN can co-exist with other properties in the same ACL Rule. All properties mentioned under source: in the following example are an OR match. If one of the IP address or FQDN or GEO or Zone matches, the source section is a match.

Example: Rule with multiple source criteria matches including FQDN

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: "cnf-fw-policy"
spec:
  rule:
    - name: allow-http
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:20:0:0/96"
        fqdns:
          - "www.somehost.org"
        geos:
          - "US:California"
        zones:
          - "zone1"

Step 3: Apply the ACL policy

Apply the ACL policy using your normal ACL configuration workflow.

Step 4: Verify FQDN resolution

After you apply the policy, verify that the FQDN resolver is working by checking the resolver statistics.

The fw_fqdn_stat TMCTL table provides the following metrics:

Metric Description
refresh_interval_secs The refresh interval configured for the resolver
num_fqdns Total number of FQDNs registered across all security policies
num_refresh_total Total number of DNS requests sent by the resolver
num_refresh_failures_total Total number of DNS request failures
num_refresh_last_min Number of DNS requests in the most recent statistics update
num_refresh_failures_last_min Number of DNS request failures in the most recent statistics update

Limitations

  • The maximum number of unique FQDN entries across all security policies is 256.

  • Internationalized domain names (IDNs), also known as Unicode URLs, are not supported. IDN support is planned for a future release.

  • The FQDN resolver refresh interval is determined by the TTL value in the DNS response. You cannot configure a custom refresh interval.

  • The FQDN supports both the IPv4 and IPv6 resolved addresses.