Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor

DNS Reputation Cache timer

Hi All,

 

For DNS reputation protections, I'm trying to find how long the cache time is, and where the config file to modify this is.

 

IIRC the AV blade for DNS reputation detects the first attempt, and then blocks all future attempts for queries if it was flagged and cached as bad. this cache I think clears after 12 hours, but i'd like to verify the time on this. My client may want to adjust this to a longer timer before clearing the reputation.

 

Thank you

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

IIRC some operations are based on DNS TTL others are based on how full the relevant RAD cache is...

 

Relevant resources include:

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot
sk110214: How to clear DNS cache of HTTP/HTTPS Proxy function without 'cpstop'
sk89340: Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'
sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode
sk92264: ATRG: Anti-Bot and Anti-Virus 

sk90422: How to modify URL Filtering cache size?

CCSM R77/R80/ELITE
NorthernNetGuy
Advisor

I've reviewed these SKs now, and I'm not finding enough info on the DNS cache within them.

 

from the malware_config file, there is the [dns info] section, which just has a 300TTL and enable variable. I'm wondering if this TTL is 300 minutes/5 hours for the AV cache. Can anyone confirm?

 

Also not seeing anything indicative of changing this within the rad_conf.C

 

0 Kudos
PhoneBoy
Admin
Admin

I would assume the TTL is in seconds, which is how the underlying DNS expresses TTL.

0 Kudos
the_rock
Legend
Legend

You could check below file on mgmt server:

$FWDIR/conf/malware_config 

yalmog
Employee
Employee

Hi, the timer is determined by threadCloud for each url, usually 10-24 hr. It cannot be changed. The ttl in malware_config is not in use.

 

 

 

0 Kudos
Albin
Contributor
Contributor

Is this still the case?

For environments with huge amount of DNS traffic, the cache of 400K might get full and the  built-in clearing functions are not sufficient. The next step would be to modify the TTLs so unncessary DNS cache entries does not last as long.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events