Can someone help me wrap my head around this please?
We're looking to implement firewall rule that would permit traffic to specific destinations, while continuing to block everything else. The challenge is the destinations are cloud services so tend to contain many changing IP addresses.
Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection.
What's not clear is if that DNS request must come from the client itself, rather than from an onsite DNS server that the client is talking to.
Am I right in thinking this only works if the client machine is making the request to, for example Google DNS 126.96.36.199., so that the MX sees those requests and can match them directly back to the client IP then asking to get to sitexyz.com?
>Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection.
The DNS request can be either inter-vlan or go out to the Internet or out AutoVPN to another site. The DNS request populates the DNS cache. The FQDN firewall rule then uses this DNS cache.
Consequently, it does not matter who made that DNS request or which DNS server it was sent to.
You do need to be careful with short-lived DNS results or queries that always return a different result with a short TTL. For example, from memory, Facebook uses a TTL with 60s. So you can get a case where client "x" does a lookup. Client "y" does a lookup a short time later but gets a different result. The firewall rule ends up using only one of these results, so one client works and the other does not.
Something like that. Explanation not exactly right. But jist is.
On the whole, it works great with most cloud providers using rotating sets of IPs, but not all of them (only a small percentage that don't work well).