https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201222#M37823 <P>What appears to be happening is that every time an FQDN rule gets hit, the gateway is looking up the IP rather than using DNS cache.</P> Wed, 20 Dec 2023 17:01:20 GMT timothyjwitt 2023-12-20T17:01:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201138#M37803 <P>Hello,<BR />We started to see an excessive amount of DNS queries coming from our gateways seemingly looking up FQDN objects.&nbsp; This started 12/17/2023 at 1am and we see it on multiple gateways at multiple sites with different DNS servers in Gaia config.<BR />When I say excessive, one site 'normal' operation prior to the issue had 92k (10MB) dns queries from the gateway per hour and after this past Sunday it's at 17Million (1.8GB) per hour.<BR />No changes to the environments since 12/14/2023, we are currently in a code freeze.<BR />We are on R81.10 JHF 95.<BR />We have ~580 FQDN objects in policies.<BR />Policy install didn't fix, nor did failover but a reboot seems to have resolved it.<BR />Wondering if anyone else has seen anything strange like this.<BR />TAC has been engaged.<BR />Thanks,<BR />Tim</P> Tue, 19 Dec 2023 21:26:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201138#M37803 timothyjwitt 2023-12-19T21:26:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201160#M37807 <P>The DNS cache is limited to 25000 entries.<BR />With that many FQDN objects, it's possible you're exceeding this limit and you may need to adjust it:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk157493" target="_blank">https://support.checkpoint.com/results/sk/sk157493</A><BR />Otherwise, I suggest involving the TAC.</P> Wed, 20 Dec 2023 02:08:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201160#M37807 PhoneBoy 2023-12-20T02:08:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201205#M37818 <P>The&nbsp;fw tab -t dns_reverse_cache_tbl command output is completely different on my GW's but if I'm reading that correctly the size (limit) is 28672 and the number of entries is 4114.&nbsp; However, the limit in table.def is set at 25000.<BR />-------- dns_reverse_cache_tbl --------<BR />htab_bl, id 35, size 28672, attributes: expire, no links, #vals 4114 #slinks 0<BR /><BR />I'm stuck on this occurring across our GW fleet at a specific date and time, seems like some sort of automatic update?<BR />I've got a case open with TAC.</P> Wed, 20 Dec 2023 15:40:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201205#M37818 timothyjwitt 2023-12-20T15:40:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201211#M37820 <P>If you've hit the high water mark of 25,000, I believe it will show in the output of&nbsp;<SPAN>fw tab -t dns_reverse_cache_tbl -s.<BR />That would at least tell us if my theory is correct.</SPAN></P> Wed, 20 Dec 2023 16:18:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201211#M37820 PhoneBoy 2023-12-20T16:18:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201212#M37821 <P>Looks like peak was 12725<BR />fw tab -t dns_reverse_cache_tbl -s<BR />HOST NAME ID #VALS #PEAK #SLINKS<BR />localhost dns_reverse_cache_tbl 38 12725 0 0</P> Wed, 20 Dec 2023 16:23:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201212#M37821 timothyjwitt 2023-12-20T16:23:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201222#M37823 <P>What appears to be happening is that every time an FQDN rule gets hit, the gateway is looking up the IP rather than using DNS cache.</P> Wed, 20 Dec 2023 17:01:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201222#M37823 timothyjwitt 2023-12-20T17:01:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201226#M37825 <P>You could try below</P> <P><A href="https://support.checkpoint.com/results/sk/sk32224" target="_blank">https://support.checkpoint.com/results/sk/sk32224</A></P> <P>Andy</P> Wed, 20 Dec 2023 17:45:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-DNS-Queries-from-Gateways/m-p/201226#M37825 the_rock 2023-12-20T17:45:03Z