The Dynamic DNS object allows records to be retrieved using a DNS server as the database.
This populates Linux ipset zones with IPv4 addresses fetched from DNS zone transfers (AXFR).
The resulting ipsets are referenced by Firewall rules to restrict/allow to a centrally managed list of IPs.This feature is available on Artica v4.50 Service Pack 7 or Artica v4.50 Service Pack 6 Hotfix 20260312-21
- On firewall objects, you can create an object called DNS Dynamic ( method dnsdynamic )
- Inside the same object, you can create multiple rules that handle multiples DNS databases.
If you create multiple rules, all data will be aggregated into a single group.
- When creating a rule, define the name of the fetch rule.
- Set the DNS servers that will be queried.
The Domains field contains zone names — not traditional internet domains like `example.com`.
Each domain is a private DNS zone hosted on the configured DNS servers that acts as a container for A records.
Each A record in the zone represents one authorized IP address.
For example, the zone bradbury. on the DNS server might contain:
server1.georges. IN A 10.0.0.5office.georges. IN A 192.168.1.20vpn-gateway.georges. IN A 203.0.113.50ns1.georges. IN A 10.0.0.1 ← skipped (ns* prefix)
Artica performs an AXFR (full zone transfer) for each domain and extracts the IPv4 addresses from all A records.
The hostname labels (server1, office, vpn-gateway) are human-readable identifiers — only the IP in the A record matters.
Records with hostnames starting with ns are excluded (nameserver infrastructure, not authorized hosts).
Multiple domains allow organizing authorized IPs by team, site, or purpose:
georges. Paris office hosts michel. Remote workersdavid. Infrastructure serversjean. VPN gateways
Why the trailing dot?
In DNS, a trailing dot marks a Fully Qualified Domain Name (FQDN) — it means "this is the complete name, don't append a search domain."
Without the dot, a DNS resolver might append the system's search domain (e.g., georges→ georges.localdomain), querying the wrong zone.
Artica appends a dot if missing, so both bradbury and georges. work.
However, the trailing dot is the correct convention and avoids ambiguity — always include it.
- Associates your object to the Inbound objects or Outbound objects in your Firewall rule.
