6.7.9.1. Matching domain names with DNSMatcher

DNSMatcher retrieves the IP addresses of domain names. This can be used in domain name based policy decisions, for example to allow encrypted connections only to trusted e-banking sites. If the IP address of the name server is not specified in the DNS Server field, the name server set in the Networking component is used (see Section 5.3, Managing client-side name resolution for details).

Domain name resolution is completed on-demand basis at each PNS startup by default, so that unnecessary slowdown with the startup can be avoided. In order to have domain name resolution at each startup, the resolve_on_init parameter has to be checked in.

Note

Note that in case the zones or the matchers contain unresolvable elements, it may increase the waiting time for a timeout.

It is recommended to have a locally installed caching DNS service which is capable of providing fast responses, monitored with the used domains.

Example 6.12. DNSMatcher for two domain names
Sample DNSMatcher policy

Figure 6.69. Sample DNSMatcher policy

Python:
MatcherPolicy(name="ExampleDomainMatcher", matcher=DNSMatcher(server="dns.example.com",\
hosts=("example2.com", "example3.com")))