High number of DNS queries generated by Cloudguard firewalls for microsoft domains

Usman_Shaikh — Wed, 20 Mar 2019 12:32:03 GMT

We are seeing high number of DNS requests made by our R80.10 (JHF Take 169) Cloudguard firewalls running FW/URLF/APPI blades to management.azure.com and blob.core.windows.net every second to our DNS server on 10.64.17.10

We do not have a domain object defined for these domains

12:24:56.972268 IP 172.26.163.36.62901 > 10.64.17.10.domain: 5418+ AAAA? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.985671 IP 10.64.17.10.domain > 172.26.163.36.62901: 5418 1/1/0 CNAME blob.am4prdstr02a.store.core.windows.net. (179)
12:24:56.985900 IP 172.26.163.36.54997 > 10.64.17.10.domain: 28673+ A? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.998820 IP 10.64.17.10.domain > 172.26.163.36.54997: 28673 2/0/0 CNAME blob.am4prdstr02a.store.core.windows.net., A 40.118.73.208 (109)
12:24:57.024426 IP 172.26.163.36.49448 > 10.64.17.10.domain: 19122+ A? management.azure.com. (38)
12:24:57.038050 IP 10.64.17.10.domain > 172.26.163.36.49448: 19122 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.325273 IP 172.26.163.36.45648 > 10.64.17.10.domain: 38158+ A? management.azure.com. (38)
12:24:57.338527 IP 10.64.17.10.domain > 172.26.163.36.45648: 38158 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.576465 IP 172.26.163.36.33918 > 10.64.17.10.domain: 37507+ A? management.azure.com. (38)
12:24:57.595217 IP 10.64.17.10.domain > 172.26.163.36.33918: 37507 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.830215 IP 172.26.163.36.52092 > 10.64.17.10.domain: 14287+ A? management.azure.com. (38)
12:24:57.843584 IP 10.64.17.10.domain > 172.26.163.36.52092: 14287 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.130100 IP 172.26.163.36.46677 > 10.64.17.10.domain: 35906+ A? management.azure.com. (38)
12:24:58.142549 IP 10.64.17.10.domain > 172.26.163.36.46677: 35906 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.381202 IP 172.26.163.36.56930 > 10.64.17.10.domain: 4052+ A? management.azure.com. (38)
12:24:58.394089 IP 10.64.17.10.domain > 172.26.163.36.56930: 4052 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:59.722341 IP 172.26.163.36.56899 > 10.64.17.10.domain: 41422+ A? management.azure.com. (38)
12:24:59.735676 IP 10.64.17.10.domain > 172.26.163.36.56899: 41422 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:25:00.057386 IP 172.26.163.36.61066 > 10.64.17.10.domain: 21154+ A? management.azure.com. (38)
12:25:00.072370 IP 10.64.17.10.domain > 172.26.163.36.61066: 21154 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)

I have spoken to R&D through our SE and they say that this is by design which I really don't get. Anyone else seen this behaviour with Cloudguard firewalls ?

Re: High number of DNS queries generated by Cloudguard firewalls for microsoft domains

Martin_Valenta — Wed, 20 Mar 2019 13:30:25 GMT

It's contastly checking with azure api backend, that's why so many dns hits..

Re: High number of DNS queries generated by Cloudguard firewalls for microsoft domains

Usman_Shaikh — Wed, 20 Mar 2019 14:18:36 GMT

What I dont get is that why does the FW send 6-7 requests for same domain each second when the TTL on these records is set to 10 secs (for the A record)

[Expert@fw1:0]# dig management.azure.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> management.azure.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2104
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;management.azure.com. IN A

;; ANSWER SECTION:
management.azure.com. 373 IN CNAME arm-rpfd-prod.trafficmanager.net.
arm-rpfd-prod.trafficmanager.net. 13 IN CNAME uknorth.management.azure.com.
uknorth.management.azure.com. 1634 IN CNAME rpfd-prod-mm-01.cloudapp.net.
rpfd-prod-mm-01.cloudapp.net. 4 IN A 13.87.77.81

;; Query time: 12 msec
;; SERVER: 10.64.17.10#53(10.64.17.10)
;; WHEN: Wed Mar 20 14:16:22 2019
;; MSG SIZE rcvd: 161

topic Re: High number of DNS queries generated by Cloudguard firewalls for microsoft domains in Cloud Firewall

High number of DNS queries generated by Cloudguard firewalls for microsoft domains

Re: High number of DNS queries generated by Cloudguard firewalls for microsoft domains

Re: High number of DNS queries generated by Cloudguard firewalls for microsoft domains