- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- High number of DNS queries generated by Cloudguard...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
High number of DNS queries generated by Cloudguard firewalls for microsoft domains
We are seeing high number of DNS requests made by our R80.10 (JHF Take 169) Cloudguard firewalls running FW/URLF/APPI blades to management.azure.com and blob.core.windows.net every second to our DNS server on 10.64.17.10
We do not have a domain object defined for these domains
12:24:56.972268 IP 172.26.163.36.62901 > 10.64.17.10.domain: 5418+ AAAA? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.985671 IP 10.64.17.10.domain > 172.26.163.36.62901: 5418 1/1/0 CNAME blob.am4prdstr02a.store.core.windows.net. (179)
12:24:56.985900 IP 172.26.163.36.54997 > 10.64.17.10.domain: 28673+ A? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.998820 IP 10.64.17.10.domain > 172.26.163.36.54997: 28673 2/0/0 CNAME blob.am4prdstr02a.store.core.windows.net., A 40.118.73.208 (109)
12:24:57.024426 IP 172.26.163.36.49448 > 10.64.17.10.domain: 19122+ A? management.azure.com. (38)
12:24:57.038050 IP 10.64.17.10.domain > 172.26.163.36.49448: 19122 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.325273 IP 172.26.163.36.45648 > 10.64.17.10.domain: 38158+ A? management.azure.com. (38)
12:24:57.338527 IP 10.64.17.10.domain > 172.26.163.36.45648: 38158 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.576465 IP 172.26.163.36.33918 > 10.64.17.10.domain: 37507+ A? management.azure.com. (38)
12:24:57.595217 IP 10.64.17.10.domain > 172.26.163.36.33918: 37507 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.830215 IP 172.26.163.36.52092 > 10.64.17.10.domain: 14287+ A? management.azure.com. (38)
12:24:57.843584 IP 10.64.17.10.domain > 172.26.163.36.52092: 14287 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.130100 IP 172.26.163.36.46677 > 10.64.17.10.domain: 35906+ A? management.azure.com. (38)
12:24:58.142549 IP 10.64.17.10.domain > 172.26.163.36.46677: 35906 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.381202 IP 172.26.163.36.56930 > 10.64.17.10.domain: 4052+ A? management.azure.com. (38)
12:24:58.394089 IP 10.64.17.10.domain > 172.26.163.36.56930: 4052 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:59.722341 IP 172.26.163.36.56899 > 10.64.17.10.domain: 41422+ A? management.azure.com. (38)
12:24:59.735676 IP 10.64.17.10.domain > 172.26.163.36.56899: 41422 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:25:00.057386 IP 172.26.163.36.61066 > 10.64.17.10.domain: 21154+ A? management.azure.com. (38)
12:25:00.072370 IP 10.64.17.10.domain > 172.26.163.36.61066: 21154 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
I have spoken to R&D through our SE and they say that this is by design which I really don't get. Anyone else seen this behaviour with Cloudguard firewalls ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's contastly checking with azure api backend, that's why so many dns hits..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I dont get is that why does the FW send 6-7 requests for same domain each second when the TTL on these records is set to 10 secs (for the A record)
[Expert@fw1:0]# dig management.azure.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> management.azure.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2104
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;management.azure.com. IN A
;; ANSWER SECTION:
management.azure.com. 373 IN CNAME arm-rpfd-prod.trafficmanager.net.
arm-rpfd-prod.trafficmanager.net. 13 IN CNAME uknorth.management.azure.com.
uknorth.management.azure.com. 1634 IN CNAME rpfd-prod-mm-01.cloudapp.net.
rpfd-prod-mm-01.cloudapp.net. 4 IN A 13.87.77.81
;; Query time: 12 msec
;; SERVER: 10.64.17.10#53(10.64.17.10)
;; WHEN: Wed Mar 20 14:16:22 2019
;; MSG SIZE rcvd: 161