Dear CP,
according to your sk120633 (Domain-Objects) the Non-FQDN mode "... uses DNS reverse lookup (if the IP address is not already in cache)."
There is a example where you state that a Non-FQDN-object with
would also match
- "support.checkpoint.com" or
- "community.checkpoint.com"
(as stated by reverse-looking up the IP)
Therefor I resolved both (using dig):
- support.checkpoint.com -> support.us.checkpoint.com -> 209.87.209.88
- community.checkpoint.com -> e1364.dscb.akamaiedge.net -> 23.203.123.111
So the client will, for example resolve the domains and get the above IP's.
The package arriving at the Firewall with the ".checkpoint.com" FQDN-object will now try to resolve these IP's, therefor:
- 209.87.209.88 -> NX
- 23.203.123.111 -> plenty x.arin.net.
Did I understand the procedure/technic correct? If yes, how should the FW be able to determine that these IP's are belonging to ".checkpoint.com" if it is either a NX-entry or plenty completely different entries?
Thanks for your help and best regards
Linus