Limitations and Precautions for Domain Groups

Hardware Requirements

The domain groups is supported by all models.

License Requirements

The domain groups is not license-controlled.

Limitations

• Mappings between domain names and IP addresses can be learned in either of the following ways:
  • DNS request packets pass through the FW.
  • Configure the DNS server on the FW. The FW proactively initiates DNS requests to update mappings between domain names and IP addresses.

    In virtual systems, only DNS request packets can be used to learn mappings between domain names and IP addresses through the FW, and the DNS server cannot be configured. Therefore, in virtual system scenarios, the FW does not proactively initiate DNS requests to update mappings between domain names and IP addresses.

• In the preceding conditions, to use domain groups as match criteria, configure a DNS server on the FW (the DNS server configuration is the same as that on the PC), so that the FW and PC learn the same mappings between domain names and IP addresses.
  • If DNS packets do not pass through the FW, the FW cannot record mappings between domain names and IP addresses.
  • If the FW restarts, the PC will not re-initiate DNS requests because the PC already has DNS records. Consequently, the FW cannot learn DNS records.

    In the preceding scenarios, the virtual system does not support the configuration of the DNS server. Therefore, the FW does not proactively initiate DNS requests to update mappings between domain names and IP addresses in virtual systems. As a result, policies referencing domain name groups in virtual systems become invalid.

• In versions earlier than V600R007C20SPC603, if the TTL (aging time of the mapping between a domain name and an IP address) is shorter than 1800 seconds, the TTL is set to 1800 seconds. In V600R007C20SPC603 and later versions, the TTL is related to the minimum and maximum DNS aging time of a domain group configured using the domain-set dns aging-time command. For details about the TTL value, see domain-set dns aging-time.
• In addition, you are advised to configure the DNS server on the FW to prevent the policy that references the domain group from being invalidated due to the aging of the mapping between the domain name and IP address. A DNS server is configured and added domain names to a domain group, the FW will proactively request domain names and IP addresses from the DNS server and bind them. When the TTL is less than 7 minutes, the FW proactively sends a request every 3 minutes to update the IP address corresponding to a domain name in a timely manner.

• Domain groups does not support IPv6.

• When parsing a domain name in a domain group, the device sends a DNS request packet whose source IP address is the IP address of the outbound interface of the packet. Therefore, to ensure that the FW can receive the response packet and learn the IP address corresponding to the domain name, the route between the outbound interface of the packet and the DNS server must be reachable.
• Proactive domain group learning allows domain name requests to be sent only to the DNS server in the public system. Even if the device has been configured to send DNS query requests to the DNS server in the specified VPN network using the dns server vpn-instance command, the domain group queries only the route to the DNS server in the public system.