Home
Laptops & Desktops
DNS, SFTP, and FTPS: Why Firewalls Handle These Protocols Differently

DNS, SFTP, and FTPS: Why Firewalls Handle These Protocols Differently

Kerry Cordero
Laptops & DesktopsServers
3 min read

1. DNS Resolution and Protocol Handling

Both HTTPS and SFTP require DNS resolution if a domain name (FQDN) is used:

  • HTTPS (HTTP over TLS):

    • The client performs a DNS query to resolve cordero.me to an IP.
    • The client initiates a TCP connection to the resolved IP on port 443.
    • The client and server negotiate TLS. The client sends a ClientHello message containing the Server Name Indication (SNI), which tells the server which domain it is trying to reach.
    • The server uses the SNI to determine which SSL certificate and virtual host to serve.
    • Because SNI provides visibility into the host being requested, firewalls and proxies can inspect this field and enforce policies based on the hostname.

  • SFTP (SSH File Transfer Protocol):

    • The client performs a DNS query to resolve sftp.cordero.me to an IP.
    • The client initiates a TCP connection to the resolved IP on port 22.
    • SSH establishes an encrypted tunnel before anything else happens. The client authenticates via password or keys.
    • There is no SNI equivalent in SSH/SFTP. The protocol never exposes the domain name after the DNS resolution step.
    • Since only the IP is used, firewalls can’t inspect an SFTP connection to determine which FQDN was intended, meaning firewall rules must be based on the IP address.

2. Why HTTPS Can Use URLs in Firewall Policies but SFTP Cannot

  • SNI (Server Name Indication) in HTTPS:
    • The TLS handshake includes the requested hostname, allowing security appliances (firewalls, proxies) to inspect and filter based on the domain name instead of the IP.
    • This is why web filtering, Next-Gen Firewalls (NGFWs), and Web Application Firewalls (WAFs) can apply URL-based policies.
  • SFTP (SSH-based) Has No SNI:
    • Since SSH encrypts everything immediately after the TCP handshake, there’s no way for the firewall to see the intended hostname.
    • Firewalls only see an SSH connection to an IP, not the domain name.
    • As a result, firewall policies must be based on the IP address, since there’s no way to filter by FQDN after DNS resolution.

3. What About FTPS?

  • FTPS (FTP over TLS) vs. SFTP (SSH FTP)
    • FTPS (explicit or implicit TLS) does support SNI because it runs over TLS (like HTTPS).
    • If using explicit FTPS (FTPES, port 21), the client and server first negotiate TLS before exchanging FTP commands.
    • If using implicit FTPS (port 990), TLS is required from the start.
    • Since FTPS traffic includes SNI in the TLS handshake, firewalls and proxies can filter traffic based on FQDN.
    • SFTP, on the other hand, is entirely encrypted from the start, with no opportunity to expose a hostname.

4. Summary and Firewall Policy Considerations

Protocol Uses DNS Resolution? Uses SNI for Filtering? Firewall Rule Type
HTTPS ✅ Yes ✅ Yes (in TLS handshake) 🔹 Can allow/block by FQDN (e.g., cordero.me)
SFTP (SSH) ✅ Yes ❌ No (IP only) 🔹 Must allow/block by IP
FTPS ✅ Yes ✅ Yes (in TLS handshake) 🔹 Can allow/block by FQDN (if using explicit TLS)

Firewall Policy Implications:

  • For HTTPS and FTPS, you can enforce rules based on URLs (FQDN) because of SNI in the TLS handshake.
  • For SFTP, you must use IP-based rules because the SSH connection never exposes the FQDN after resolution.
© 2025 cordero.me • All Rights Reserved