Using Domain Name elements in Firewall Access rules

You can use Domain Name elements in Access rules to represent a fully qualified domain name (FQDN) that might be associated with multiple IP addresses.

If you have specified one or more DNS servers in the engine’s properties, the engine periodically queries the DNS server to automatically resolve domain names to IP addresses. This makes it possible to create rules that are valid even if new addresses are added to the domain or the domain’s IP addresses change. If the DNS server returns multiple IP addresses for the same domain name, the engine associates all the IP addresses with the domain name. However, if there are a large number IP addresses associated with the same domain name, the DNS server might only reply with a few of the IP addresses at a time. In this case, the engine might need to make more queries to the DNS server to resolve all the IP addresses for the domain name. By default, the engine queries the DNS server every six minutes. Resolved IP addresses are kept in the engine’s DNS cache for a maximum of one hour by default.
Note: The DNS cache is not synchronized between nodes of a cluster. Each node separately queries the DNS server using the node’s NDI address. It is possible that the DNS cache can be different on different nodes of a cluster.