NSX DFW with context-profile enabled does not block or allow specific FQDNs when host entries are configured in /etc/hosts
Article ID: 345816
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- NSX Distributed Firewall is enabled
- Context Profile rules have been created to manage specific FQDNs
- Traffic from virtual machines to those specific FQDN is not being managed by the DFW. DFW fails to block or allow specific FQDNs.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX 4.x
Cause
FQDN Filtering depends on DNS queries and responses to dynamically determine a domains IP address. If DNS queries are not sent or are not snooped (i.e. there is no APP_DNS rule being hit), FQDN filtering will not work as intended.
A statically configured DNS resolution in a VM's /etc/hosts file will stop DNS packets from being sent; thus, short-circuiting FQDN filtering.
A statically configured DNS resolution in a VM's /etc/hosts file will stop DNS packets from being sent; thus, short-circuiting FQDN filtering.
Resolution
Remove any entries from the /etc/hosts file within the guest operating system.
Feedback
Yes
No
Powered by
