Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Updatable Objects and DNS queries

In our lab environment, we have created two rules which use four different Updatable objects :

 

Azure Services

Okta Services

Office365 Worldwide

Office365 Worldwide Services

 

Once these rules were added, our gateways started submitting a large amount of DNS queries, upwards of 435,000 an hour. That's a lot of queries, it looks like most domains are queried 4 times a minute.  Is this expected behavior, and is there any way to change some setting(s) to decrease this number?

 

Thanks,

 

Dave

5 Replies
Highlighted
Admin
Admin

Re: Updatable Objects and DNS queries

What version/JHF level?
Highlighted

Re: Updatable Objects and DNS queries

R80.20 w/Jumbo HFA Take 134

 

Dave

Highlighted

Re: Updatable Objects and DNS queries

I have observed similar behavior on R80.20 using Updatable Objects for Office 365. It hasn't caused any problems that I've noticed, so I wasn't raising the issue to TAC. But I have noticed it happening.

R80 CCSA / CCSE
Highlighted

Re: Updatable Objects and DNS queries

Thanks for the verification. It's good to know this might be "normal" behavior, and like you I haven't seen any impact to the gateway. Where we noticed is with our SIEM, since we pull in DNS logs from our DNS servers. It has seriously increased the number of events in our SIEM.

 

Still curious if there is a way to adjust settings so at least the queries do not happen so often.

 

Dave

Highlighted

Re: Updatable Objects and DNS queries

Same issue here when we test O365 updateable object. It is because the updateable objects for O365 have wildcard domains and the gateways treat those lookups differently. For wildcard domains, from my understanding, each packet will be checked which leads to the increase in DNS. Normal FQDN will use a cached entry.

As a side note, in R80.20 (not sure on new versions) you will notice that for each DNS query sent by the gateway, another one to two will be sent with 'www' appending. This will lead to a lot of NXDOMAIN responses and additional load on DNS server. So all this builds up. The fix is to add the below parameter to the fwkern.conf file (create if it doesn't exist). You will need to reboot for fix to be applied since it won't take on the fly

/var/opt/fw.boot/modules/fwkern.conf
add_www_prefix_to_domain_name=0