Domain rules are the most used rule family. The three variants look alike but differ hugely in scope - picking the wrong one means rules that never fire or that catch far too much.
Side by side
Against the destination www.google.com:
| Rule | Hit? | Notes |
|---|---|---|
DOMAIN,www.google.com | Yes | Exact match only; mail.google.com does not hit. |
DOMAIN,google.com | No | DOMAIN never includes subdomains. |
DOMAIN-SUFFIX,google.com | Yes | google.com itself plus all subdomains - the usual choice. |
DOMAIN-KEYWORD,google | Yes | Any domain containing "google" - including googleusercontent.com and fake-google.evil.com. |
Choosing
- Target is a whole site:
DOMAIN-SUFFIX- correct 90% of the time. - Target is one specific subdomain (e.g. only the API host):
DOMAIN. DOMAIN-KEYWORDsuits services with shifting domains sharing a token (CDN families) - beware false positives: short keywords likeDOMAIN-KEYWORD,adhit shadow, download and other innocents.
Why domain rules go before IP rules
Domain rules match before DNS resolution, needing no IP; IP rules (IP-CIDR, GEOIP) force a resolution first. Putting domain rules earlier avoids needless lookups, and in fake-ip mode prevents forced real resolutions (combine with no-resolve, see IP Rules).
DOMAIN,vpn.company.com,DIRECT placed before DOMAIN-SUFFIX,company.com,PROXY sends just that host direct.