Adding a Domain Name Group

Matching Policy

• Application Domain Name Group: CFW compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit.
• Network Domain Name Group: CFW obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit.

  A single domain name can resolve up to 1,000 IP addresses. Each domain group can resolve up to 1,500 IP addresses. If the number of resolution results reaches the upper limit, no domain names can be added to the domain group.

You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results.

Constraints

• Domain names in Chinese cannot be added to domain name groups.
• The domain names in a domain name group can be referenced by protection rules for up to 40,000 times, and wildcard domain names can be referenced for up to 2,000 times.

Adding a Domain Name Group

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation pane, choose Access Control > Object Groups.
6. (Optional) To add a network domain group, click the Network Domain Name Group tab.
7. Click the Domain Name Groups tab. Click Add Domain Name Group and configure parameters.

   Table 1 Domain name group parameters

   Parameter	Description
   Domain Name Group Type	Application/Network
   Group Name	Name of a user-defined domain name group.
   Description	(Optional) Enter remarks for the domain name group.
   Domain Name	Enter one or multiple domain names. You can enter a multi-level single domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com). Multiple domain names are separated by commas (,), semicolons (;), line breaks, or spaces. NOTE: Domain names must be unique.

Adding a Domain Name to a Domain Group

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation pane, choose Access Control > Object Groups.
6. Click the Domain Name Groups tab. Click the name of a domain name group. The Domain Name Groups dialog box is displayed.
7. Click Add Domain and enter domain name information.

   You can click Add to add multiple domain names.

8. Confirm the information and click OK.

Related Operation

• Exporting domain name groups: Click Export above the list and select a data range.
• Batch deleting domain names: Select domain names in the domain name list and click Delete above the list.

• Editing a domain name group: Click the name of the target domain name group and click Edit on the right of Basic Information.
• A domain name group takes effect only after it is set in a protection rule. For more information, see Adding Protection Rules to Block or Allow Traffic.
• Viewing the IP addresses resolved by a domain name group of the network domain name group type: Click a domain name group name to go to the Basic Information page, and click IP address in the Operation column of the domain name list.