Set up a distributed firewall rule to filter specific domains identified with FQDN/URLs, for example, *.office365.com.

Currently, a predefined list of domains is supported. You can see the list of FQDNs when you add a new context profile of attribute type Domain (FQDN) Name. You can also see a list of FQDNs by running the API call /policy/api/v1/infra/context-profiles/attributes?attribute_key=DOMAIN_NAME.

Note: FQDN filtering does not support CNAME records in DNS as the FQDN attribute type entry in context profiles.

You must set up a DNS rule first, and then the FQDN allowlist or denylist rule below it. NSX-T Data Center uses time to live (TTL) in the DNS response (coming from DNS server to the virtual machine), for keeping the DNS to IP mapping cache entry for the virtuall machine (VM). To override the DNS TTL using a DNS security profile, see Configure DNS Security. For FQDN filtering to be effective, virtual machines need to use a DNS server for domain resolution (no static DNS entries), and also need to honor the TTL received in the DNS response. NSX-T Data Center uses DNS Snooping to obtain a mapping between the IP address and the FQDN. SpoofGuard should be enabled across the switch on all logical ports to protect against the risk of DNS spoofing attacks. A DNS spoofing attack is when a malicious VM can inject spoofed DNS responses to redirect traffic to malicious endpoints or bypass the firewall. For more information about SpoofGuard, see Understanding SpoofGuard Segment Profile.

This feature works at layer 7 and does not cover ICMP. If a user creates a denylist rule for all services on example.com the feature is working as intended if ping example.com responds, but curl example.com does not.

Selecting a wild card FQDN is a best practice because it includes sub domains. For example, selecting *example.com , would include sub domains such as americas.example.com and emea.example.com. Using example.comwould not include any sub domains.

FQDN-based rules are retained during vMotion for ESXi hosts.

Note: ESXi and KVM hosts are supported. KVM hosts support the FQDN allowlist only. FQDN filtering is available only with TCP and UDP traffic.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to Security > Distributed Firewall.
  3. Add a firewall policy section by following the steps in Add a Distributed Firewall. An existing firewall policy section can also be used.
  4. Select the new or existing firewall policy section and click Add Rule to create the DNS firewall rule first.
  5. Provide a name for the firewall rule, such as DNS rule, and provide the following details:
    Option Description
    Services Click the edit icon and select the DNS or DNS-UDP service as applicable to your environment.
    Profile Click the edit icon and select the DNS context profile. This is precreated and is available in your deployment by default.
    Applied To Select a group as required.
    Action Select Allow.
  6. Click Add Rule again to set up the FQDN allowlist or denylist rule.
  7. Name the rule appropriately, such as, FQDN/URL Allowlist. Drag the rule under the DNS rule under this policy section.
  8. Provide the following details:
    Option Description
    Services Click the edit icon and select the service you want to associate with this rule, for example, HTTP.
    Profile Click the edit icon and click Add New Context Profile. Click in the column titled Attribute, and select Domain (FQDN) Name. Select the list of Attribute Name/Values from the predefined list. Click Add. See Add a Context Profile for details.
    Applied To Select DFW or a group as required.
    Action Select Allow, Drop, or Reject.
  9. Click Publish.