Network > Address Objects
215
SonicOS Enhanced 4.0 Administrator Guide
Enforcing the use of sanctioned servers on the network
Although not a requirement, it is recommended to enforce the use of authorized or sanctioned
servers on the network. This practice can help to reduce illicit network activity, and will also
serve to ensure the reliability of the FQDN wildcard resolution process.
In general, it is good practice to define the endpoints of known protocol communications when
possible. For example:
FQDN
resolution
using DNS
FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in the
Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses,
the FQDN DAO resolution process will retrieve all of the addresses to which a host name
resolves, up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the resolution
process will also associate the entry’s TTL (time to live) as configured by the DNS administrator.
TTL will then be honored to ensure the FQDN information does not become stale.
FQDN entry
caching
Resolved FQDN values will be cached in the event of resolution attempt failures subsequent to
initial resolution. In other words, if “www.moosifer.com” resolves to 71.35.249.153 with a TTL of
300, but fails to resolve upon TTL expiry (for example, due to temporary DNS server
unavailability), the 71.35.249.153 will be cached and used as valid until resolution succeeds, or
until manually purged. Newly created FQDN entries that never successfully resolve, or entries
that are purged and then fail to resolve will appear in an unresolved state.
MAC Address
resolution
using live
ARP cache
data
When a node is detected on any of the SonicWALL’s physical segments through the ARP
(Address Resolution Protocol) mechanism, the SonicWALL’s ARP cache is updated with that
node’s MAC and IP address. When this update occurs, if a MAC Address Objects referencing
that node’s MAC is present, it will instantly be updated with the resolved address pairing. When
a node times out of the ARP cache due to disuse (e.g. the host is no longer L2 connected to the
firewall) the MAC AO will transition to an “unresolved” state.
MAC Address
Object
multi-homing
support
MAC AOs can be configured to support multi-homed nodes, where multi-homed refers to nodes
with more than one IP address per physical interface. Up to 256 resolved entries are allowed per
AO. This way, if a single MAC address resolves to multiple IPs, all of the IP will be applicable to
the Access Rules, etc. that refer to the MAC AO.
Automatic
and manual
refresh
processes
MAC AO entries are automatically synchronized to the SonicWALL’s ARP cache, and FQDN AO
entries abide by DNS entry TTL values, ensuring that the resolved values are always fresh. In
addition to these automatic update processes, manual Refresh and Purge capabilities are
provided for individual DAOs, or for all defined DAOs.
FQDN
resolution
using DNS
FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in the
Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses,
the FQDN DAO resolution process will retrieve all of the addresses to which a host name
resolves, up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the resolution
process will also associate the entry’s TTL (time to live) as configured by the DNS administrator.
TTL will then be honored to ensure the FQDN information does not become stale.
Feature Benefit