Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Usman_Shaikh
Contributor

High number of DNS queries generated by Cloudguard firewalls for microsoft domains

We are seeing high number of DNS requests made by our R80.10 (JHF Take 169) Cloudguard firewalls running FW/URLF/APPI blades to management.azure.com and blob.core.windows.net every second to our DNS server on 10.64.17.10

We do not have a domain object defined for these domains

12:24:56.972268 IP 172.26.163.36.62901 > 10.64.17.10.domain: 5418+ AAAA? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.985671 IP 10.64.17.10.domain > 172.26.163.36.62901: 5418 1/1/0 CNAME blob.am4prdstr02a.store.core.windows.net. (179)
12:24:56.985900 IP 172.26.163.36.54997 > 10.64.17.10.domain: 28673+ A? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.998820 IP 10.64.17.10.domain > 172.26.163.36.54997: 28673 2/0/0 CNAME blob.am4prdstr02a.store.core.windows.net., A 40.118.73.208 (109)
12:24:57.024426 IP 172.26.163.36.49448 > 10.64.17.10.domain: 19122+ A? management.azure.com. (38)
12:24:57.038050 IP 10.64.17.10.domain > 172.26.163.36.49448: 19122 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.325273 IP 172.26.163.36.45648 > 10.64.17.10.domain: 38158+ A? management.azure.com. (38)
12:24:57.338527 IP 10.64.17.10.domain > 172.26.163.36.45648: 38158 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.576465 IP 172.26.163.36.33918 > 10.64.17.10.domain: 37507+ A? management.azure.com. (38)
12:24:57.595217 IP 10.64.17.10.domain > 172.26.163.36.33918: 37507 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.830215 IP 172.26.163.36.52092 > 10.64.17.10.domain: 14287+ A? management.azure.com. (38)
12:24:57.843584 IP 10.64.17.10.domain > 172.26.163.36.52092: 14287 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.130100 IP 172.26.163.36.46677 > 10.64.17.10.domain: 35906+ A? management.azure.com. (38)
12:24:58.142549 IP 10.64.17.10.domain > 172.26.163.36.46677: 35906 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.381202 IP 172.26.163.36.56930 > 10.64.17.10.domain: 4052+ A? management.azure.com. (38)
12:24:58.394089 IP 10.64.17.10.domain > 172.26.163.36.56930: 4052 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:59.722341 IP 172.26.163.36.56899 > 10.64.17.10.domain: 41422+ A? management.azure.com. (38)
12:24:59.735676 IP 10.64.17.10.domain > 172.26.163.36.56899: 41422 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:25:00.057386 IP 172.26.163.36.61066 > 10.64.17.10.domain: 21154+ A? management.azure.com. (38)
12:25:00.072370 IP 10.64.17.10.domain > 172.26.163.36.61066: 21154 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)

I have spoken to R&D through our SE and they say that this is by design which I really don't get. Anyone else seen this behaviour with Cloudguard firewalls ?

 

0 Kudos
2 Replies
Martin_Valenta
Advisor

It's contastly checking with azure api backend, that's why so many dns hits..

0 Kudos
Usman_Shaikh
Contributor

What I dont get is that why does the FW send 6-7 requests for same domain each second when the TTL on these records is set to 10 secs (for the A record)

[Expert@fw1:0]# dig management.azure.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> management.azure.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2104
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;management.azure.com. IN A

;; ANSWER SECTION:
management.azure.com. 373 IN CNAME arm-rpfd-prod.trafficmanager.net.
arm-rpfd-prod.trafficmanager.net. 13 IN CNAME uknorth.management.azure.com.
uknorth.management.azure.com. 1634 IN CNAME rpfd-prod-mm-01.cloudapp.net.
rpfd-prod-mm-01.cloudapp.net. 4 IN A 13.87.77.81

;; Query time: 12 msec
;; SERVER: 10.64.17.10#53(10.64.17.10)
;; WHEN: Wed Mar 20 14:16:22 2019
;; MSG SIZE rcvd: 161

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.