Understanding Domain Groups

This section describes the domain name matching mode and process.

Matching Modes

Domain names can be matched in two modes: exact match and suffix match. Table 1 shows the comparison of the two modes.

**Table 1** Domain name matching modes
Matching Mode	Definition	Item	Matching Result
Exact match	Matches the domain names the same as the specified string.	www.example.com	In this matching mode, the following domain name matches the specified string: www.example.com The following domain names do not match the specified string: www.example.com.cn/news www.example.org/news
Suffix match	Matches the domain names that end with the specified string.	.example.com NOTE: Configure domain names to support only the asterisk () wildcard. In addition, a domain name can contain only one asterisk and must start with it. A domain name supports two to four periods (.) that cannot be consecutive and cannot end with a period. That is, the format must be .X.X, .X.X.X, or *.X.X.X.X.	In this matching mode, all domain names that end with example.com are matched, for example: www.example.com test.example.com test.abc.example.com The following domain name does not match the specified string: example.test.com

Matching Process

After receiving a DNS packet, the FW performs domain name resolution for the packet. When the FW matches the packet with security policies by domain name, the matching rules vary according to the domain names referenced by the security policies:

If a security policy references only an exact domain name or a domain name suffix, the FW performs the exact match or suffix match based on the domain name of the packet to match the packet with the security policy.
If a security policy references an exact domain name and a domain name suffix, the FW performs the exact match and suffix match for the domain name of the DNS packet. As long as either the exact match or suffix match succeeds, the packet matches the security policy.

For example, the resolved domain name of a DNS packet is www.example.test.com, and security policy named policy 1 references an exact domain name, a domain name suffix, and both an exact domain name and a domain name suffix. The following table lists the match results.

Domain Name in the DNS Packet	Domain Name Referenced by policy1	Domain Name Match Results
www.example.test.com	Exact domain name: www.example.com	The match fails.
Suffix domain name: *.test.com	The match succeeds.
Exact and suffix domain names: www.example.com *.test.com	The match succeeds.

Domain Name in the DNS Packet

Domain Name Referenced by policy1

Domain Name Match Results

www.example.test.com

Exact domain name:

www.example.com

The match fails.

Suffix domain name:

*.test.com

The match succeeds.

Exact and suffix domain names:

www.example.com
*.test.com

The match succeeds.