Set up a distributed firewall rule to filter specific domains identified with a fully qualified domain name, for example, *.office365.com.
You must set up a DNS rule first, and then the FQDN allowlist or denylist rule below it. NSX-T Data Center uses time to live (TTL) in the DNS response (coming from DNS server to the virtual machine), for keeping the DNS to IP mapping cache entry for the virtual machine. To override the DNS TTL using a DNS security profile, see Configure DNS Security. For FQDN filtering to be effective, virtual machines need to use a DNS server for domain resolution (no static DNS entries), and also need to honor the TTL received in the DNS response. NSX-T Data Center uses DNS Snooping to obtain a mapping between the IP address and the FQDN.
This feature works at layer 7 and does not cover ICMP. If a user creates a denylist rule for all services on example.com
the feature is working as intended if ping example.com
responds, but curl example.com
does not.
Selecting a wild card FQDN is a best practice because it includes sub domains. For example, selecting *.example.com
, would include sub domains such as americas.example.com
and emea.example.com
. Using example.com
would not include any sub domains.
FQDN-based rules are retained during vMotion for ESXi hosts.
Prerequisites
- Navigate to .
- Select the check box next to a policy section and click Add Rule.
- Provide a name for the firewall rule, such as DNS rule, and provide the following details:
Variable Description Name Provide a name for the rule, such as L7 DNS Rule Source Any or specific group Destination Any or specific group Services Click the edit icon, and select the DNS and DNS-UDP service. Context Profiles Click the edit icon, and select the DNS context profile. This is system generated context profile, and is available in your deployment by default. Applied To Select a group as required. Action Select Allow. - Click Publish.
Procedure
- With admin privileges, log in to NSX Manager.
- Navigate to .
- Click Add Rule to set up the FQDN allowlisting or denylisting rule.
- Name the rule appropriately, such as, FQDN/URL Allowlist.
- Provide the following details:
Option Description Services Click the edit icon and select the service you want to associate with this rule, for example, HTTP. Context Profiles Click the edit icon, and Add Context Profile and name the profile. In the Attributes column, select . Select the list of Attribute Name/Values from the predefined list, or create a custom FQDN. See Context Profilesfor details. Click Add, and Apply. Applied To Select DFW or a group as required. Action Select Allow, Drop, or Reject. - Click Publish.