Help Center/ Cloud Firewall/ User Guide/ Access Control/ Managing Object Groups/ Managing Domain Name Groups
Updated on 2025-07-23 GMT+08:00
View PDF

Managing Domain Name Groups

Scenario

A domain name group is a collection of domain names or wildcard domain names. (The standard format of a wildcard domain name is *.Domain_name, where * is a wildcard character that matches any or string, for example, *.example.com.) You can reference a domain name group in an access rule to implement unified traffic control for that group. The updates of the domain name group will be automatically synchronized to all the policies associated with it. This helps you quickly modify policies and avoid repeated configuration, improving O&M efficiency.

Domain Name Group Types

CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.

Table 1 Domain name group types

-

Application Domain Name Group (Layer 7 Protocol Parsing)

Network Domain Name Group (Layer 4 Protocol Parsing)

Protected object
  • Domain names
  • Wildcard domain names
  • A single domain name
  • Multiple domain names

Protocol Type

Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS.

Network layer protocols. All protocol types are supported.

Match rule

The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit.

The filtering is based on the resolved IP addresses.

The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit.

Suggestion

You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results.

Constraints

  • For adding a domain name group:
  • The constraints on the two types of domain name groups are as follows:
    • Application domain name group (layer 7 protocol parsing)
      • A firewall instance can have up to 500 domain name groups.
      • A firewall instance can have up to 2,500 domain names.
      • An application domain name group can contain up to 1,500 domain names. Up to 500 domain names can be added at a time.
    • Network domain name group (layer 4 protocol parsing)
      • A firewall instance can have up to 1,000 domain names.
      • A network domain name group can have up to 15 domain names.
      • Each domain name group can resolve up to 1,500 IP addresses.
      • Each domain name can resolve up to 1,000 IP addresses.
  • The domain name group referenced by a protection rule cannot be deleted. Modify or delete the rule first.

Adding a Domain Name Group

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. Click the Domain Name Groups tab page.

    (Optional) To add a network domain group, click the Network Domain Name Group tab.

  7. On the Application Domain Name Group or Network Domain Name Group page, click Add Domain Name Group. On the Add Domain Name Group page, enter the domain name group information.

    Table 2 Domain name group parameters

    Parameter

    Description

    Domain Name Group Type

    Application/Network

    Group Name

    Name of a user-defined domain name group.

    Domain Name

    Enter domain names and click Parse to add them to the domain name list. The rules are as follows:

    • You can enter a multi-level domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
    • Multiple domain names are separated by commas (,), semicolons (;), line breaks, or spaces.
    • Domain names must be unique.

    Description

    (Optional) Enter remarks for the domain name group.

  8. Confirm the information and click OK.

Adding a Domain Name to a Domain Name Group

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. Click the Domain Name Groups tab page. Click the name of a domain name group. The group details page is displayed.

    To add a domain name to a network domain name group, click the Network Domain Name Group tab page, and click the name of a domain name group. The group details page is displayed.

  7. Click Add Domain and enter domain name information.

    You can click Add to add multiple domain names.

  8. Confirm the information and click OK.

Deleting a Domain Name Group

Deleted domain names cannot be restored. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. Click the Domain Name Groups tab. Locate the row that contains the item to be deleted. Click Delete in the Operation column. In the displayed dialog box, enter DELETE and click OK.

    To delete a network domain name group, switch to the Network Domain Name Group tab page first.

Related Operations

  • Exporting domain name groups: Click Export above the list and select a data range.
  • Batch deleting domain names: On the domain name group details page, select domain names, click Delete above the list, confirm the information, and click OK.
  • Editing a domain name group: Click the name of a domain name group and modify parameters.
  • A domain name group takes effect only after it is set in a protection rule. For more information, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
  • Viewing the IP addresses resolved by a domain name group of the network domain name group type: Click a domain name group name to go to the Basic Information page, and click IP address in the Operation column of the domain name list.
Parent Topic: Managing Object Groups