topic Re: DNS Reputation Cache timer in Firewall and Security Management

DNS Reputation Cache timer

NorthernNetGuy — Mon, 06 Mar 2023 16:08:26 GMT

Hi All,

For DNS reputation protections, I'm trying to find how long the cache time is, and where the config file to modify this is.

IIRC the AV blade for DNS reputation detects the first attempt, and then blocks all future attempts for queries if it was flagged and cached as bad. this cache I think clears after 12 hours, but i'd like to verify the time on this. My client may want to adjust this to a longer timer before clearing the reputation.

Thank you

Re: DNS Reputation Cache timer

Chris_Atkinson — Wed, 08 Mar 2023 15:09:29 GMT

IIRC some operations are based on DNS TTL others are based on how full the relevant RAD cache is...

Relevant resources include:

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot
sk110214: How to clear DNS cache of HTTP/HTTPS Proxy function without 'cpstop'
sk89340: Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'
sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode
sk92264: ATRG: Anti-Bot and Anti-Virus

sk90422: How to modify URL Filtering cache size?

Re: DNS Reputation Cache timer

the_rock — Tue, 07 Mar 2023 00:52:30 GMT

You could check below file on mgmt server:

$FWDIR/conf/malware_config

Re: DNS Reputation Cache timer

NorthernNetGuy — Wed, 08 Mar 2023 14:26:02 GMT

I've reviewed these SKs now, and I'm not finding enough info on the DNS cache within them.

from the malware_config file, there is the [dns info] section, which just has a 300TTL and enable variable. I'm wondering if this TTL is 300 minutes/5 hours for the AV cache. Can anyone confirm?

Also not seeing anything indicative of changing this within the rad_conf.C

Re: DNS Reputation Cache timer

PhoneBoy — Wed, 08 Mar 2023 18:15:24 GMT

I would assume the TTL is in seconds, which is how the underlying DNS expresses TTL.

Re: DNS Reputation Cache timer

yalmog — Fri, 17 Mar 2023 05:26:41 GMT

Hi, the timer is determined by threadCloud for each url, usually 10-24 hr. It cannot be changed. The ttl in malware_config is not in use.

Re: DNS Reputation Cache timer

Albin — Wed, 14 Feb 2024 12:46:03 GMT

Is this still the case?

For environments with huge amount of DNS traffic, the cache of 400K might get full and the built-in clearing functions are not sufficient. The next step would be to modify the TTLs so unncessary DNS cache entries does not last as long.