Why does the firewall send DNS query for AAAA every 60 seconds when the “Minimum FQDN Refresh Time” is set for more than 60 seconds?

Why does the firewall send DNS query for AAAA every 60 seconds when the “Minimum FQDN Refresh Time” is set for more than 60 seconds?

4950
Created On 06/14/22 09:13 AM - Last Modified 11/22/24 22:40 PM


Question


Why does firewall send DNS query for AAAA every 60 seconds even though  “Minimum FQDN Refresh Time” is set a value more than 60 seconds?
The following error message appears every 60 seconds on dnsproxyd.log (less mp-log dnsproxyd.log).

admin@PA-VM> tail follow yes mp-log dnsproxyd.log
(snip)
18:24:35.013 +0900 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:www.paloaltonetworks.com AAAA after trying all attempts to name server(s): 8.8.8.8
18:25:35.013 +0900 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:www.paloaltonetworks.com AAAA after trying all attempts to name server(s): 8.8.8.8
18:26:35.013 +0900 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:www.paloaltonetworks.com AAAA after trying all attempts to name server(s): 8.8.8.8
18:27:35.013 +0900 Warning:  pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:www.paloaltonetworks.com AAAA after trying all attempts to name server(s): 8.8.8.8

In this case  “Minimum FQDN Refresh Time” is set 180 seconds.

image.png

FQDN address object has the IPv4 address.

image.png

The firewall sends DNS query for AAAA not every 180 seconds but every 60 seconds.

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above
  • FQDN objects used with IPv4 address
  • DNS

Answer


  1. Firewall sends DNS query both of A and AAAA to resolve a FQDN address object.
  2. When firewall has resolved a FQDN address object and has the cache of it, firewall sends DNS query to refresh that in accordance with "Minimum FQDN Refresh Time”.
  3. When the FQDN does not have an IPv6 address and firewall cannot resolve the FQDN address object to the IPv6 address, firewall retries to send DNS query for AAAA every 60 seconds.

Additional Information


  • This behavior is related to FQDN Refresh Enhancement starting in PAN-OS 9.0.
  • If IPv6 is not being used in the network, it's possible to avoid the error messages by disabling the IPv6 Firewalling.
  • When IPv6 Firewalling is disabled, firewall sends only DNS Query for A to resolve a FQDN address object but firewall does not process any IPv6 packets.
  • How to Enable and Disable IPv6 Firewalling

    image.png
     
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cq1uCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language