Overview

A FQDN host identifies a destination by its domain name (for example, updates.example.com) instead of a static IP address. This is useful for services whose IP addresses change over time or resolve to several addresses at once, such as cloud services, content delivery networks, and SaaS applications. The GajShield firewall periodically resolves the FQDN and keeps the associated IP addresses up to date, so a rule built on a FQDN host continues to work without manual edits when the destination's addressing changes.

When to use a FQDN host

FQDN hosts are the right choice whenever the destination you want to control does not have a stable, predictable IP address. Common cases include allowing or restricting access to specific cloud or SaaS platforms, controlling traffic to services hosted behind a CDN that returns rotating addresses, and writing rules against domains that resolve to multiple IPs for load balancing. If you would otherwise have to maintain a list of IP addresses by hand and update it whenever the service changes, a FQDN host removes that burden.

How to configure a FQDN host

Navigate to Definitions > Hosts > FQDN hosts in the GajOS web interface.

Add a new FQDN host and enter the fully qualified domain name you want to define (for example, portal.example.com). Give it a clear name so it is easily recognizable when you build rules later, then save. The firewall will resolve the domain and track the IP address or addresses it returns.
Using the FQDN host in a firewall rule

Once created, the FQDN host becomes available in the source and destination fields when you create or edit a firewall rule, in the same way as a standard host object. Select the FQDN host where you would normally choose an IP-based host, and the rule will apply to whichever addresses the domain currently resolves to.

Things to keep in mind

Because FQDN hosts depend on DNS resolution, the firewall must be able to reach a working DNS server to resolve and refresh the addresses correctly. Resolution is refreshed periodically rather than instantly, so a very recent DNS change at the destination may take a short time to be reflected. For domains that resolve to a large or frequently changing set of addresses, expect the underlying IP list to update over time as the firewall re-resolves the name.