FQDN rules, asterisks and DNS recursion
While trying to open outgoing traffic from unauthenticated PCs to microsoft update websites, I have to add FQDNs like *.update.microsoft.com to a rule.
Despite that, PC were not able to open connections to sites like fe2cr.update.microsoft.com.
Analyzing the FQDN firebox cache, there is no sign of fe2cr.update.microsoft.com in the cache.
After investigation I discovered that Firebox is unable to track DNS resolution of our internal recursive DNS resolver when the site has many CNAME to different domain names.
I had to use an external resolver (conditional resolver in Microsoft DNS) for the domain microsoft.com. This caused only a single UDP packet to traverse the watchguard with the resolved hostname, and the firebox FQDN cache got correctly populated.
Is this a bug? It's not mentioned on the documentation that "yon cannot have an internal recursive DNS resolver to make FQDN policies with asterisks work".