Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Koehl
Contributor

updateble objects casing mass of DNS requests

Hi folks,

I have some trouble with updateble objects.

When updateble objects for "office 365" and "Amazon web service" are activated, my gateway sends about 110-120 DNS request per seconds --> means more than 400.000 request per hour.
When deactivating the updateble objects, the DNS request stops immediately.


Mgmt: MDM, R80.40, JHF-91
Gateway: VSX Gateway Cluster, R80.30, JHF-227, DNS request are send by VS2


Any idea?

Best regards,
Christian

0 Kudos
5 Replies
Vladimir
Champion
Champion

Hmm... I would expect the Updatable Objects to cause the bursts of periodic DNS requests, but not perpetually at the rate you are describing.

are you sure that your VS2 is getting the replies to those queries?

0 Kudos
Christian_Koehl
Contributor

I have tcpdump showing sending of DNS request (using the cluster ip of VS2) and receiving the DNS responses.

What looks a little bit strange is, only two different source port in the DNS request were used by VS2.

0 Kudos
_Alex_
Advisor

Did you check you're matching all the requirements of sk131852?

0 Kudos
Jerry
Leader
Leader

I've had very similar scenario where VS out of 10 other VS's was having in a policy may "updatable objects" including many "countries" in a drop/allow lists. depending on what countries were "eliminated" and which were simply dropped without logging like "stealth" filtering.

The level of traffic (udp/53) between that VS and luckily "very local" DNS server was like 2-4 MB/s constant stream 24/7/365. After roughly about the year that DNS server was replaved with much stronger and more powerful machine as DNS become a bottleneck to the "responses" being serverd to that VS (Internet Perimeter FW). This was giving more resources to the DNS server itself sorted the issues out and internal-power of DNS made the stream between the VS and DSN down to 500-600kb/s instead. Simply put, the way the updatable objects works is not that harmful to the VS's as long as your DNS can cope and swallow such amount of "queries" all-day-long. every day.

I had similar scenario with appliances "stand-alone" as well as "remotely-managed" gateways where on R81 just now that problem disappeared but one thing remained crucial - DNS server capabilities and its "responsiveness" in general.

that's just my 5 cents. hope it helps somehow 🙂

Jerry
0 Kudos
Micky_Michaeli
Employee
Employee

Hi @Christian_Koehl,

According to sk131852, "External services providers publish lists of IP addresses, or Domains, or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers". Office 365 object contains many domains which require these DNS queries, so this is the expected behavior. Reducing the amount of DNS queries without having matching issues is something we have in our roadmap.

Best regards,

Micky

0 Kudos