Managing Domain Name Groups
Scenario
A domain name group is a collection of domain names or wildcard domain names. (The standard format of a wildcard domain name is *.Domain_name, where * is a wildcard character that matches any or string, for example, *.example.com.) You can reference a domain name group in an access rule to implement unified traffic control for that group. The updates of the domain name group will be automatically synchronized to all the policies associated with it. This helps you quickly modify policies and avoid repeated configuration, improving O&M efficiency.
Domain Name Group Types
CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.
- |
Application Domain Name Group (Layer 7 Protocol Parsing) |
Network Domain Name Group (Layer 4 Protocol Parsing) |
---|---|---|
Protected object |
|
|
Protocol Type |
Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS. |
Network layer protocols. All protocol types are supported. |
Match rule |
The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit. |
The filtering is based on the resolved IP addresses. The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit. |
Suggestion |
You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results. |
Constraints
- For adding a domain name group:
- The constraints on the two types of domain name groups are as follows:
- Application domain name group (layer 7 protocol parsing)
- A firewall instance can have up to 500 domain name groups.
- A firewall instance can have up to 2,500 domain names.
- An application domain name group can contain up to 1,500 domain names. Up to 500 domain names can be added at a time.
- Network domain name group (layer 4 protocol parsing)
- A firewall instance can have up to 1,000 domain names.
- A network domain name group can have up to 15 domain names.
- Each domain name group can resolve up to 1,500 IP addresses.
- Each domain name can resolve up to 1,000 IP addresses.
- Application domain name group (layer 7 protocol parsing)
- The domain name group referenced by a protection rule cannot be deleted. Modify or delete the rule first.
Adding a Domain Name Group
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the Domain Name Groups tab page.
(Optional) To add a network domain group, click the Network Domain Name Group tab.
- On the Application Domain Name Group or Network Domain Name Group page, click Add Domain Name Group. On the Add Domain Name Group page, enter the domain name group information.
Table 2 Domain name group parameters Parameter
Description
Domain Name Group Type
Application/Network
Group Name
Name of a user-defined domain name group.
Domain Name
Enter domain names and click Parse to add them to the domain name list. The rules are as follows:
- You can enter a multi-level domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
- Multiple domain names are separated by commas (,), semicolons (;), line breaks, or spaces.
- Domain names must be unique.
Description
(Optional) Enter remarks for the domain name group.
- Confirm the information and click OK.
Adding a Domain Name to a Domain Name Group
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the Domain Name Groups tab page. Click the name of a domain name group. The group details page is displayed.
To add a domain name to a network domain name group, click the Network Domain Name Group tab page, and click the name of a domain name group. The group details page is displayed.
- Click Add Domain and enter domain name information.
You can click Add to add multiple domain names.
- Confirm the information and click OK.
Deleting a Domain Name Group

Deleted domain names cannot be restored. Exercise caution when performing this operation.
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the Domain Name Groups tab. Locate the row that contains the item to be deleted. Click Delete in the Operation column. In the displayed dialog box, enter DELETE and click OK.
To delete a network domain name group, switch to the Network Domain Name Group tab page first.
Related Operations
- Exporting domain name groups: Click Export above the list and select a data range.
- Batch deleting domain names: On the domain name group details page, select domain names, click Delete above the list, confirm the information, and click OK.
- Editing a domain name group: Click the name of a domain name group and modify parameters.
- A domain name group takes effect only after it is set in a protection rule. For more information, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
- Viewing the IP addresses resolved by a domain name group of the network domain name group type: Click a domain name group name to go to the Basic Information page, and click IP address in the Operation column of the domain name list.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.