- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Updatable Objects and DNS queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updatable Objects and DNS queries
In our lab environment, we have created two rules which use four different Updatable objects :
Azure Services
Okta Services
Office365 Worldwide
Office365 Worldwide Services
Once these rules were added, our gateways started submitting a large amount of DNS queries, upwards of 435,000 an hour. That's a lot of queries, it looks like most domains are queried 4 times a minute. Is this expected behavior, and is there any way to change some setting(s) to decrease this number?
Thanks,
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.20 w/Jumbo HFA Take 134
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have observed similar behavior on R80.20 using Updatable Objects for Office 365. It hasn't caused any problems that I've noticed, so I wasn't raising the issue to TAC. But I have noticed it happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the verification. It's good to know this might be "normal" behavior, and like you I haven't seen any impact to the gateway. Where we noticed is with our SIEM, since we pull in DNS logs from our DNS servers. It has seriously increased the number of events in our SIEM.
Still curious if there is a way to adjust settings so at least the queries do not happen so often.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same issue here when we test O365 updateable object. It is because the updateable objects for O365 have wildcard domains and the gateways treat those lookups differently. For wildcard domains, from my understanding, each packet will be checked which leads to the increase in DNS. Normal FQDN will use a cached entry.
As a side note, in R80.20 (not sure on new versions) you will notice that for each DNS query sent by the gateway, another one to two will be sent with 'www' appending. This will lead to a lot of NXDOMAIN responses and additional load on DNS server. So all this builds up. The fix is to add the below parameter to the fwkern.conf file (create if it doesn't exist). You will need to reboot for fix to be applied since it won't take on the fly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We got the same problem on R80.30 take 226. That behavior has triggered a "DNSAttack (Possible DNS attack detected. Abnormal conditions: UDPv4 errors at XX%)" situation on our Infobloxes, causing a P2. The Infoblox started the "attack mitigation" throttling all DNS request, dropping lots of legit requests.
It is not that our Infobloxes are undersized. The CP's are just querying too much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just-for-the-record: a possible workaround should be incrementing the rad_kernel_domain_cache_refresh_interval parameter, from 60 to 120, together with a CP engineer. That was the feedback from our support case.
But we have choose to let it as-is...
