Random DNS responses dropped on firewall when DNS security enabled (Anti-Spyware Profile)
3820
Created On 06/09/23 22:03 PM - Last Modified 06/02/25 20:03 PM
Symptom
- Random DNS responses are dropped on firewall when DNS security enabled on anti-spyware profile applied on relevant security policy.
- Likely happen on new URLs that were not resolved previously.
- Global counters indicate counters with "ctd_dns" are incremented. The most relevant in this regard are:
- ctd_dns_req_lookup_miss
- ctd_dns_req_lookup_noaction
- ctd_dns_reply_wait
- ctd_dns_wait_pkt_drop
- ctd_dns_pkt_retransmit
- When capturing traffic on the Firewall, drops are seen when any of these counters increment:
- ctd_dns_reply_wait
- ctd_dns_wait_pkt_drop
Environment
- Palo Alto Firewalls
- PAN-OS 9.1 and above
- DNS Security enabled on anti-spyware profile
Cause
- Firewall will drop DNS response if cloud response/verdict is not received by the time of cloud dns timeout.
- However, the initial DNS query (part of DNS response that was dropped) will be retransmitted to DNS server for another DNS resolution attempt.
Resolution
- Per use case and requirements, the DNS Signature Lookup Timeout (ms) can be modified by navigating to DEVICE > Setup > Content-ID > Realtime Signature Lookup as shown below:
- This value will specify the duration of time, in milliseconds, for the firewall to query the DNS Security service.
- If the cloud does not respond before the end of the specified period, the firewall releases the associated DNS response to the requesting client.
- The value can be set between 0 to 60,000, the default is 100.
- A high value will increase the chances of latency as mentioned in this article.
- Lowering this value will reduce latency. but it will cost a security tradeoff:
- If a malicious request is released before a verdict reply is received, the anti-spyware profile may initially allow it through.
- The anti-spyware will only be able to take action on subsequent malicious requests once the verdict has been received and the FQDN is cached.
- The value must be adjusted according to the organization requirements.