[AF] IP Whitelist is not effective — caused by a single IP being associated with multiple domain names
Problem Description
After adding the IP Address Exclusion, no match is found
Another problem is that the matching black domain name cannot be resolved to the destination IP by nslookup.
Effective troubleshooting steps
- After adding the domain name corresponding to the IP to Whitelist, the function is normal, but the added IP does not take effect
- Open kernel debugging and find that the destination IP matches the domain name Blacklist
Root cause
1.Domain name has higher priority than IP. That is, when the destination IP Sensitive a black domain name and a white IP, the black domain name will be matched. (Explain the first point of the problem description)
2. For example, if one IP corresponds to three domain names, even if a domain name is no longer associated with this IP, the other two domain names will continue to refresh the TTL time of the IP and will not age. The IP will also record the association with the three domain names. (Explain the second point of the problem description)
solution
White-mark the domain name of the IP to be passed
Operation Impact Scope
N/A
Suggestions and Conclusion
Whitelist matching order:
Match the source IP first and then the destination IP
Match the domain name to which the IP belongs first, then match the IP
The matching result is first checked to see if it is judged as white and then whether it is judged as black.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1657&isOpen=true