Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
1
Replies

Best practice for allowing outbound to FQDN with multiple endpoints?

tickermcse76
Level 1
Level 1

‎01-16-2018 05:23 AM - edited ‎02-21-2020 07:09 AM

More often, I'm finding the need to permit outbound access to an FQDN that can have a few to several IP endpoints (ie a service that itself leverages multiple services to host its platform and or CDN).

 

Permitting based on an FQDN has had its own host of issues.  Most of our internal servers do not use the same DNS as our perimeter firewall - therefore the DNS lookups will mismatch.  The DNS A record request is almost always going to return just a single IP, so the more IP's in the pool the more likely you'll end up mismatching.

 

I was curious to know what's regarded as current best practice?  Is everyone still defining a list of IP's and altering as needed?

Labels:
0 Helpful
1 Reply 1

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-16-2018 07:37 AM

Unfortunately I do not think there is a straight answer. It depends on the situation.

If it's http traffic, http filtering could be used.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card