Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=FQDNHostManage

FQDN host

You can configure fully qualified domain name (FQDN) hosts on Sophos Firewall. You can use FQDN hosts when you configure rules, policies, and settings, such as firewall rules, SD-WAN policy routes, and VPN settings.

Information about FQDNs and FQDN hosts

FQDNs

You can have FQDNs with and without wildcards. The firewall resolves FQDNs in the following manner:

  • FQDNs without wildcards: The firewall performs a DNS lookup for the specified FQDN and uses all the IP addresses returned to resolve the FQDN. It then repeats this process when the TTL of the previous response expires.

  • Wildcard FQDNs: The firewall inspects DNS traffic and extracts the IP addresses from responses for matching domains. The firewall does this in one of the following ways:

    • If you've configured the firewall as the DNS server, DNS requests from the endpoint computers go directly to the firewall. The firewall's DNS server looks for matches in responses to DNS requests sent by endpoint computers and extracts the IP addresses for matching domains.
    • If you're using an external DNS server, the firewall's DPI engine inspects packets for any UDP DNS traffic passing through the firewall on port 53 to external DNS servers, such as Google or Sophos DNS Protection. The firewall extracts IP addresses for matching domains from this DNS traffic.

FQDN hosts

FQDN hosts make managing hosts and IP addresses easier:

  • FQDN hosts can resolve to multiple IP addresses.
  • You aren't required to remember IP addresses.
  • Sophos Firewall optimizes security by basing actions in firewall rules on FQDN hosts.

You can configure FQDN hosts for the following objects:

  • Mail servers
  • Proxy servers
  • DNS hosts
  • External authentication servers, such as AD and LDAP
  • Remote access VPN endpoints
  • Web servers
  • Syslog servers

Note

FQDN hosts don't support multiple domains that resolve to a single IP address. For example, test.com and example.com can't both resolve to 192.0.2.1.

Add an FQDN host

You can create, edit, and delete FQDN hosts.

To add an FQDN host, do as follows:

  1. Go to Hosts and services > FQDN host and click Add.

  2. Enter your FQDN host settings.

    Setting Description
    Name The name you give to the FQDN host.
    example.com
    FQDN The host's fully qualified domain name.
    *.example.com
    FQDN host group Select a host group from the list, or create a new group.

    Note

    An FQDN host can belong to more than one FQDN host group.

    The following image shows example settings.

    Example FQDN host settings.

  3. Click Save.